html-pipeline 2.12.0 → 2.13.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/FUNDING.yml +4 -0
- data/.travis.yml +10 -0
- data/Appraisals +4 -0
- data/CHANGELOG.md +114 -33
- data/Gemfile +1 -0
- data/README.md +11 -8
- data/lib/html/pipeline/autolink_filter.rb +6 -1
- data/lib/html/pipeline/camo_filter.rb +14 -4
- data/lib/html/pipeline/markdown_filter.rb +23 -6
- data/lib/html/pipeline/sanitization_filter.rb +24 -19
- data/lib/html/pipeline/syntax_highlight_filter.rb +15 -11
- data/lib/html/pipeline/version.rb +1 -1
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 98e2f770a5c65764d3f1876186ada3b9f3566997ec706c11a835216b9a5f2cb6
|
4
|
+
data.tar.gz: 7a839e8ec04a801868674916f2521d3d098dbace80e57b4f3ce3bc9997592b7b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 63e9bd15cf65b8765d1046d77f7a675d3dc44d8c82a717bec18722b38275753010c9793f3dec3fcf46f7ad5e4021e33b96280efa6324a3cb37092606c5c37f50
|
7
|
+
data.tar.gz: df99642a2bc048ce6d5f7e52dc1816c5589af7a7503b7f69f842fbc361d70e57601376b437cd56b40161d131d27eddc31b62230f6d7672ccfba3666afef6e1df
|
data/.github/FUNDING.yml
ADDED
data/.travis.yml
CHANGED
@@ -13,6 +13,7 @@ addons:
|
|
13
13
|
script: bundle exec rake
|
14
14
|
|
15
15
|
gemfile:
|
16
|
+
- gemfiles/rails_6.gemfile
|
16
17
|
- gemfiles/rails_5.gemfile
|
17
18
|
- gemfiles/rails_4.gemfile
|
18
19
|
- gemfiles/rails_3.gemfile
|
@@ -20,6 +21,7 @@ gemfile:
|
|
20
21
|
rvm:
|
21
22
|
- 2.4.6
|
22
23
|
- 2.3.8
|
24
|
+
- 2.5.7
|
23
25
|
- ruby-head
|
24
26
|
|
25
27
|
matrix:
|
@@ -27,7 +29,15 @@ matrix:
|
|
27
29
|
allow_failures:
|
28
30
|
- rvm: ruby-head
|
29
31
|
exclude:
|
32
|
+
- gemfile: gemfiles/rails_6.gemfile
|
33
|
+
rvm: 2.4.6
|
34
|
+
- gemfile: gemfiles/rails_6.gemfile
|
35
|
+
rvm: 2.3.8
|
36
|
+
- gemfile: gemfiles/rails_4.gemfile
|
37
|
+
rvm: 2.5.7
|
30
38
|
- gemfile: gemfiles/rails_4.gemfile
|
31
39
|
rvm: 2.4.6
|
40
|
+
- gemfile: gemfiles/rails_3.gemfile
|
41
|
+
rvm: 2.5.7
|
32
42
|
- gemfile: gemfiles/rails_3.gemfile
|
33
43
|
rvm: 2.4.6
|
data/Appraisals
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,80 +1,161 @@
|
|
1
1
|
# CHANGELOG
|
2
2
|
|
3
|
+
## 2.12.3
|
4
|
+
|
5
|
+
* Bug fix in `SyntaxHighlightFilter` [#325](https://github.com/jch/html-pipeline/pull/325)
|
6
|
+
|
7
|
+
## 2.12.2
|
8
|
+
|
9
|
+
* Allow unsafe option for Custom Renderer of `MarkdownFilter` [#322](https://github.com/jch/html-pipeline/pull/322)
|
10
|
+
* Test with minitest-focus
|
11
|
+
|
12
|
+
## 2.12.1
|
13
|
+
|
14
|
+
* Allow Custom Renderer for `MarkdownFilter` [#318](https://github.com/jch/html-pipeline/pull/318)
|
15
|
+
* Test against more Rails versions
|
16
|
+
|
17
|
+
## 2.12.0
|
18
|
+
|
19
|
+
* Team mention filter [#314](https://github.com/jch/html-pipeline/pull/314)
|
20
|
+
|
21
|
+
## 2.11.1
|
22
|
+
|
23
|
+
* Avoid YARD warning: Unknown tag @mention [#309](https://github.com/jch/html-pipeline/pull/309)
|
24
|
+
* Freeze string literals in Ruby 2.3 and beyond [#313](https://github.com/jch/html-pipeline/pull/313)
|
25
|
+
|
26
|
+
## 2.11.0
|
27
|
+
|
28
|
+
* Test against Ruby 2.4 [#310](https://github.com/jch/html-pipeline/pull/310)
|
29
|
+
* CamoFilter: use String#unpack to hexencode URLs [#256](https://github.com/jch/html-pipeline/pull/256)
|
30
|
+
|
31
|
+
## 2.10.0
|
32
|
+
|
33
|
+
* Add XMPP URI [#307](https://github.com/jch/html-pipeline/pull/307)
|
34
|
+
* Stop testing against Ruby 2.2
|
35
|
+
|
36
|
+
## 2.9.2
|
37
|
+
|
38
|
+
* Whitelist various inline semantic/formatting tags [#306](https://github.com/jch/html-pipeline/pull/306)
|
39
|
+
|
40
|
+
## 2.9.1
|
41
|
+
|
42
|
+
* Render irc and ircs URLs [#191](https://github.com/jch/html-pipeline/pull/191)
|
43
|
+
|
44
|
+
## 2.9.0
|
45
|
+
|
46
|
+
* Fix one more missing freeze [#300](https://github.com/jch/html-pipeline/pull/300)
|
47
|
+
* Adds `UNSAFE` option to CommonMarker usage where needed [#304](https://github.com/jch/html-pipeline/pull/304)
|
48
|
+
|
49
|
+
## 2.8.4
|
50
|
+
|
51
|
+
* Freeze all elements in HTML::Pipeline::SanitizationFilter [#299](https://github.com/jch/html-pipeline/pull/299)
|
52
|
+
|
53
|
+
## 2.8.3
|
54
|
+
|
55
|
+
* Whitelist some accessibility properties [#298](https://github.com/jch/html-pipeline/pull/298)
|
56
|
+
|
57
|
+
## 2.8.2
|
58
|
+
|
59
|
+
* Update ruby-sanitize (fixes CVE-2018-3740)
|
60
|
+
|
61
|
+
## 2.8.1
|
62
|
+
|
63
|
+
* Fix XSS vulnerability on table of content generation [#296](https://github.com/jch/html-pipeline/pull/296)
|
64
|
+
|
65
|
+
## 2.8.0
|
66
|
+
|
67
|
+
* Ensure `<pre>` nodes are not removed after syntax highlighting [#295](https://github.com/jch/html-pipeline/pull/295)
|
68
|
+
|
69
|
+
## 2.7.2
|
70
|
+
|
71
|
+
* Apply mention filter & emoji filter on node text [#290](https://github.com/jch/html-pipeline/pull/290)
|
72
|
+
* Disable processing @mentions in `<script>` tag [#292](https://github.com/jch/html-pipeline/pull/292)
|
73
|
+
* Update dependencies [#291](https://github.com/jch/html-pipeline/pull/291)
|
74
|
+
|
75
|
+
## 2.7.1
|
76
|
+
|
77
|
+
* Output underlying load error when wrapping [#284](https://github.com/jch/html-pipeline/pull/284)
|
78
|
+
|
79
|
+
## 2.7.0
|
80
|
+
|
81
|
+
* Let users set the common marker extensions [#279](https://github.com/jch/html-pipeline/pull/279)
|
82
|
+
|
3
83
|
## 2.6.0
|
4
|
-
|
5
|
-
*
|
84
|
+
|
85
|
+
* Switch from github-markdown to CommonMark [#274](https://github.com/jch/html-pipeline/pull/274)
|
86
|
+
* Fixed a few warnings
|
6
87
|
|
7
88
|
## 2.5.0
|
8
89
|
|
9
|
-
* Ruby 2.4 support. Backwards compatible, but bumped minor version so projects can choose to lock at older version [#268](https://github.com/jch/html-pipeline/pull/268)
|
90
|
+
* Ruby 2.4 support. Backwards compatible, but bumped minor version so projects can choose to lock at older version [#268](https://github.com/jch/html-pipeline/pull/268)
|
10
91
|
|
11
92
|
## 2.4.2
|
12
93
|
|
13
|
-
* Make EmojiFilter generated img tag HTML attributes configurable [#258](https://github.com/jch/html-pipeline/pull/258)
|
94
|
+
* Make EmojiFilter generated img tag HTML attributes configurable [#258](https://github.com/jch/html-pipeline/pull/258)
|
14
95
|
|
15
96
|
## 2.4.1
|
16
97
|
|
17
|
-
* Regression in EmailReplyPipeline: unfiltered content is being omitted [#253](https://github.com/jch/html-pipeline/pull/253)
|
98
|
+
* Regression in EmailReplyPipeline: unfiltered content is being omitted [#253](https://github.com/jch/html-pipeline/pull/253)
|
18
99
|
|
19
100
|
## 2.4.0
|
20
101
|
|
21
|
-
* Optionally filter email addresses [#247](https://github.com/jch/html-pipeline/pull/247)
|
102
|
+
* Optionally filter email addresses [#247](https://github.com/jch/html-pipeline/pull/247)
|
22
103
|
|
23
104
|
## 2.3.0
|
24
105
|
|
25
|
-
* Add option to pass in an anchor icon, instead of using octicons [#244](https://github.com/jch/html-pipeline/pull/244)
|
106
|
+
* Add option to pass in an anchor icon, instead of using octicons [#244](https://github.com/jch/html-pipeline/pull/244)
|
26
107
|
|
27
108
|
## 2.2.4
|
28
109
|
|
29
|
-
* Use entire namespace so MissingDependencyError constant is resolved [#243](https://github.com/jch/html-pipeline/pull/243)
|
110
|
+
* Use entire namespace so MissingDependencyError constant is resolved [#243](https://github.com/jch/html-pipeline/pull/243)
|
30
111
|
|
31
112
|
## 2.2.3
|
32
113
|
|
33
|
-
* raise MissingDependencyError instead of aborting on missing dependency [#241](https://github.com/jch/html-pipeline/pull/241)
|
34
|
-
* Fix typo [#239](https://github.com/jch/html-pipeline/pull/239)
|
35
|
-
* Test against Ruby 2.3.0 on Travis CI [#238](https://github.com/jch/html-pipeline/pull/238)
|
36
|
-
* use travis containers [#237](https://github.com/jch/html-pipeline/pull/237)
|
114
|
+
* raise MissingDependencyError instead of aborting on missing dependency [#241](https://github.com/jch/html-pipeline/pull/241)
|
115
|
+
* Fix typo [#239](https://github.com/jch/html-pipeline/pull/239)
|
116
|
+
* Test against Ruby 2.3.0 on Travis CI [#238](https://github.com/jch/html-pipeline/pull/238)
|
117
|
+
* use travis containers [#237](https://github.com/jch/html-pipeline/pull/237)
|
37
118
|
|
38
119
|
## 2.2.2
|
39
120
|
|
40
|
-
* Fix for calling mention_link_filter with only one argument [#230](https://github.com/jch/html-pipeline/pull/230)
|
41
|
-
* Add html-pipeline-linkify_github to 3rd Party Extensions in README [#228](https://github.com/jch/html-pipeline/pull/228)
|
121
|
+
* Fix for calling mention_link_filter with only one argument [#230](https://github.com/jch/html-pipeline/pull/230)
|
122
|
+
* Add html-pipeline-linkify_github to 3rd Party Extensions in README [#228](https://github.com/jch/html-pipeline/pull/228)
|
42
123
|
|
43
124
|
## 2.2.1
|
44
125
|
|
45
|
-
* Soften Nokogiri dependency to versions ">= 1.4" [#208](https://github.com/jch/html-pipeline/pull/208)
|
126
|
+
* Soften Nokogiri dependency to versions ">= 1.4" [#208](https://github.com/jch/html-pipeline/pull/208)
|
46
127
|
|
47
128
|
## 2.2.0
|
48
129
|
|
49
|
-
* Only allow cite attribute on blockquote and restrict schemes [#223](https://github.com/jch/html-pipeline/pull/223)
|
130
|
+
* Only allow cite attribute on blockquote and restrict schemes [#223](https://github.com/jch/html-pipeline/pull/223)
|
50
131
|
|
51
132
|
## 2.1.0
|
52
133
|
|
53
|
-
* Whitelist schemes for longdesc [#221](https://github.com/jch/html-pipeline/pull/221)
|
54
|
-
* Extract emoji image tag generation to own method [#195](https://github.com/jch/html-pipeline/pull/195)
|
55
|
-
* Update README.md [#211](https://github.com/jch/html-pipeline/pull/211)
|
56
|
-
* Add ImageFilter for image url to img tag conversion [#207](https://github.com/jch/html-pipeline/pull/207)
|
134
|
+
* Whitelist schemes for longdesc [#221](https://github.com/jch/html-pipeline/pull/221)
|
135
|
+
* Extract emoji image tag generation to own method [#195](https://github.com/jch/html-pipeline/pull/195)
|
136
|
+
* Update README.md [#211](https://github.com/jch/html-pipeline/pull/211)
|
137
|
+
* Add ImageFilter for image url to img tag conversion [#207](https://github.com/jch/html-pipeline/pull/207)
|
57
138
|
|
58
139
|
## 2.0
|
59
140
|
|
60
141
|
**New**
|
61
142
|
|
62
|
-
* Implement new EmojiFilter context option: ignored_ancestor_tags to accept more ignored tags. [#170](https://github.com/jch/html-pipeline/pull/170) @JuanitoFatas
|
63
|
-
* Add GitHub flavor Markdown Task List extension [#162](https://github.com/jch/html-pipeline/pull/162) @simeonwillbanks
|
64
|
-
* @mention allow for custom regex to identify usernames. [#157](https://github.com/jch/html-pipeline/pull/157) @brittballard
|
65
|
-
* EmojiFilter now requires gemoji ~> 2. [#159](https://github.com/jch/html-pipeline/pull/159) @jch
|
143
|
+
* Implement new EmojiFilter context option: ignored_ancestor_tags to accept more ignored tags. [#170](https://github.com/jch/html-pipeline/pull/170) @JuanitoFatas
|
144
|
+
* Add GitHub flavor Markdown Task List extension [#162](https://github.com/jch/html-pipeline/pull/162) @simeonwillbanks
|
145
|
+
* @mention allow for custom regex to identify usernames. [#157](https://github.com/jch/html-pipeline/pull/157) @brittballard
|
146
|
+
* EmojiFilter now requires gemoji ~> 2. [#159](https://github.com/jch/html-pipeline/pull/159) @jch
|
66
147
|
|
67
148
|
**Changes**
|
68
149
|
|
69
|
-
* Restrict nokogiri to >= 1.4, <= 1.6.5 [#176](https://github.com/jch/html-pipeline/pull/176) @simeonwillbanks
|
70
|
-
* MentionFilter#link_to_mentioned_user: Replace String introspection with Regexp match [#172](https://github.com/jch/html-pipeline/pull/172) @simeonwillbanks
|
71
|
-
* Whitelist summary and details element. [#171](https://github.com/jch/html-pipeline/pull/171) @JuanitoFatas
|
72
|
-
* Support ~login for MentionFilter. [#167](https://github.com/jch/html-pipeline/pull/167) @JuanitoFatas
|
73
|
-
* Revert "Search for text nodes on DocumentFragments without root tags" [#158](https://github.com/jch/html-pipeline/pull/158) @jch
|
74
|
-
* Drop support for ruby ree, 1.9.2, 1.9.3 [#156](https://github.com/jch/html-pipeline/pull/156) @jch
|
75
|
-
* Skip EmojiFilter in `<tt>` tags [#147](https://github.com/jch/html-pipeline/pull/147) @moskvax
|
76
|
-
* Use Linguist lexers [#153](https://github.com/jch/html-pipeline/pull/153) @pchaigno
|
77
|
-
* Constrain Active Support >= 2, < 5 [#180](https://github.com/jch/html-pipeline/pull/180) @jch
|
150
|
+
* Restrict nokogiri to >= 1.4, <= 1.6.5 [#176](https://github.com/jch/html-pipeline/pull/176) @simeonwillbanks
|
151
|
+
* MentionFilter#link_to_mentioned_user: Replace String introspection with Regexp match [#172](https://github.com/jch/html-pipeline/pull/172) @simeonwillbanks
|
152
|
+
* Whitelist summary and details element. [#171](https://github.com/jch/html-pipeline/pull/171) @JuanitoFatas
|
153
|
+
* Support ~login for MentionFilter. [#167](https://github.com/jch/html-pipeline/pull/167) @JuanitoFatas
|
154
|
+
* Revert "Search for text nodes on DocumentFragments without root tags" [#158](https://github.com/jch/html-pipeline/pull/158) @jch
|
155
|
+
* Drop support for ruby ree, 1.9.2, 1.9.3 [#156](https://github.com/jch/html-pipeline/pull/156) @jch
|
156
|
+
* Skip EmojiFilter in `<tt>` tags [#147](https://github.com/jch/html-pipeline/pull/147) @moskvax
|
157
|
+
* Use Linguist lexers [#153](https://github.com/jch/html-pipeline/pull/153) @pchaigno
|
158
|
+
* Constrain Active Support >= 2, < 5 [#180](https://github.com/jch/html-pipeline/pull/180) @jch
|
78
159
|
|
79
160
|
## 1.11.0
|
80
161
|
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,9 +1,10 @@
|
|
1
1
|
# HTML::Pipeline [![Build Status](https://travis-ci.org/jch/html-pipeline.svg?branch=master)](https://travis-ci.org/jch/html-pipeline)
|
2
2
|
|
3
|
-
|
3
|
+
HTML processing filters and utilities. This module includes a small
|
4
4
|
framework for defining DOM based content filters and applying them to user
|
5
|
-
provided content.
|
6
|
-
|
5
|
+
provided content.
|
6
|
+
|
7
|
+
[This project was started at GitHub](https://github.com/blog/1311-html-pipeline-chainable-content-filters). While GitHub still uses a similar design and pattern for rendering content, this gem should be considered standalone and independent from GitHub.
|
7
8
|
|
8
9
|
- [Installation](#installation)
|
9
10
|
- [Usage](#usage)
|
@@ -32,7 +33,7 @@ And then execute:
|
|
32
33
|
$ bundle
|
33
34
|
```
|
34
35
|
|
35
|
-
Or install it yourself as:
|
36
|
+
Or install it by yourself as:
|
36
37
|
|
37
38
|
```sh
|
38
39
|
$ gem install html-pipeline
|
@@ -82,7 +83,7 @@ Prints:
|
|
82
83
|
</code></pre>
|
83
84
|
```
|
84
85
|
|
85
|
-
To generate CSS for HTML formatted code, use the [Rouge CSS Theme](https://github.com/
|
86
|
+
To generate CSS for HTML formatted code, use the [Rouge CSS Theme](https://github.com/rouge-ruby/rouge#css-options) `#css` method. `rouge` is a dependency of the `SyntaxHighlightFilter`.
|
86
87
|
|
87
88
|
Some filters take an optional **context** and/or **result** hash. These are
|
88
89
|
used to pass around arguments and metadata between filters in a pipeline. For
|
@@ -163,7 +164,7 @@ EmojiPipeline = Pipeline.new [
|
|
163
164
|
* `ImageMaxWidthFilter` - link to full size image for large images
|
164
165
|
* `MarkdownFilter` - convert markdown to html
|
165
166
|
* `PlainTextInputFilter` - html escape text and wrap the result in a div
|
166
|
-
* `SanitizationFilter` -
|
167
|
+
* `SanitizationFilter` - allow sanitize user markup
|
167
168
|
* `SyntaxHighlightFilter` - code syntax highlighter
|
168
169
|
* `TextileFilter` - convert textile to html
|
169
170
|
* `TableOfContentsFilter` - anchor headings with name attributes and generate Table of Contents html unordered list linking headings
|
@@ -329,9 +330,9 @@ html_fragment = "This is outside of an html element, but <strong>this isn't. :+1
|
|
329
330
|
EmojiPipeline.call("<div>#{html_fragment}</div>") # <- Wrap your own html fragments to avoid escaping
|
330
331
|
```
|
331
332
|
|
332
|
-
### 2. How do I customize
|
333
|
+
### 2. How do I customize an allowlist for `SanitizationFilter`s?
|
333
334
|
|
334
|
-
`SanitizationFilter::
|
335
|
+
`SanitizationFilter::ALLOWLIST` is the default allowlist used if no `:allowlist`
|
335
336
|
argument is given in the context. The default is a good starting template for
|
336
337
|
you to add additional elements. You can either modify the constant's value, or
|
337
338
|
re-define your own constant and pass that in via the context.
|
@@ -354,6 +355,8 @@ Thanks to all of [these contributors](https://github.com/jch/html-pipeline/graph
|
|
354
355
|
|
355
356
|
Project is a member of the [OSS Manifesto](http://ossmanifesto.org/).
|
356
357
|
|
358
|
+
The current maintainer is @gjtorikian
|
359
|
+
|
357
360
|
### Releasing A New Version
|
358
361
|
|
359
362
|
This section is for gem maintainers to cut a new version of the gem.
|
@@ -8,6 +8,7 @@ module HTML
|
|
8
8
|
#
|
9
9
|
# Context options:
|
10
10
|
# :autolink - boolean whether to autolink urls
|
11
|
+
# :link_mode - :all, :urls or :email_addresses
|
11
12
|
# :link_attr - HTML attributes for the link that will be generated
|
12
13
|
# :skip_tags - HTML tags inside which autolinking will be skipped.
|
13
14
|
# See Rinku.skip_tags
|
@@ -22,7 +23,11 @@ module HTML
|
|
22
23
|
flags = 0
|
23
24
|
flags |= context[:flags] if context[:flags]
|
24
25
|
|
25
|
-
Rinku.auto_link(html,
|
26
|
+
Rinku.auto_link(html, link_mode, context[:link_attr], skip_tags, flags)
|
27
|
+
end
|
28
|
+
|
29
|
+
def link_mode
|
30
|
+
context[:link_mode] || :urls
|
26
31
|
end
|
27
32
|
end
|
28
33
|
end
|
@@ -16,7 +16,7 @@ module HTML
|
|
16
16
|
# Context options:
|
17
17
|
# :asset_proxy (required) - Base URL for constructed asset proxy URLs.
|
18
18
|
# :asset_proxy_secret_key (required) - The shared secret used to encode URLs.
|
19
|
-
# :
|
19
|
+
# :asset_proxy_allowlist - Array of host Strings or Regexps to skip
|
20
20
|
# src rewriting.
|
21
21
|
#
|
22
22
|
# This filter does not write additional information to the context.
|
@@ -37,7 +37,7 @@ module HTML
|
|
37
37
|
end
|
38
38
|
|
39
39
|
next if uri.host.nil?
|
40
|
-
next if
|
40
|
+
next if asset_host_allowed?(uri.host)
|
41
41
|
|
42
42
|
element['src'] = asset_proxy_url(original_src)
|
43
43
|
element['data-canonical-src'] = original_src
|
@@ -76,11 +76,21 @@ module HTML
|
|
76
76
|
end
|
77
77
|
|
78
78
|
def asset_proxy_whitelist
|
79
|
-
|
79
|
+
warn "[DEPRECATION] 'asset_proxy_whitelist' is deprecated. Please use 'asset_proxy_allowlist' instead."
|
80
|
+
asset_proxy_allowlist
|
81
|
+
end
|
82
|
+
|
83
|
+
def asset_proxy_allowlist
|
84
|
+
context[:asset_proxy_allowlist] || context[:asset_proxy_whitelist] || []
|
80
85
|
end
|
81
86
|
|
82
87
|
def asset_host_whitelisted?(host)
|
83
|
-
|
88
|
+
warn "[DEPRECATION] 'asset_host_whitelisted?' is deprecated. Please use 'asset_host_allowed?' instead."
|
89
|
+
asset_host_allowed?(host)
|
90
|
+
end
|
91
|
+
|
92
|
+
def asset_host_allowed?(host)
|
93
|
+
asset_proxy_allowlist.any? do |test|
|
84
94
|
test.is_a?(String) ? host == test : test.match(host)
|
85
95
|
end
|
86
96
|
end
|
@@ -11,10 +11,12 @@ module HTML
|
|
11
11
|
# Context options:
|
12
12
|
# :gfm => false Disable GFM line-end processing
|
13
13
|
# :commonmarker_extensions => [ :table, :strikethrough,
|
14
|
-
# :tagfilter, :autolink ]
|
14
|
+
# :tagfilter, :autolink ] Commonmarker extensions to include
|
15
15
|
#
|
16
16
|
# This filter does not write any additional information to the context hash.
|
17
17
|
class MarkdownFilter < TextFilter
|
18
|
+
DEFAULT_COMMONMARKER_EXTENSIONS = %i[table strikethrough tagfilter autolink].freeze
|
19
|
+
|
18
20
|
def initialize(text, context = nil, result = nil)
|
19
21
|
super text, context, result
|
20
22
|
@text = @text.delete "\r"
|
@@ -23,14 +25,29 @@ module HTML
|
|
23
25
|
# Convert Markdown to HTML using the best available implementation
|
24
26
|
# and convert into a DocumentFragment.
|
25
27
|
def call
|
26
|
-
options = [:GITHUB_PRE_LANG]
|
27
|
-
options << :HARDBREAKS if context[:gfm] != false
|
28
|
-
options << :UNSAFE if context[:unsafe]
|
29
28
|
extensions = context.fetch(
|
30
29
|
:commonmarker_extensions,
|
31
|
-
|
30
|
+
DEFAULT_COMMONMARKER_EXTENSIONS
|
32
31
|
)
|
33
|
-
html =
|
32
|
+
html = if (renderer = context[:commonmarker_renderer])
|
33
|
+
unless renderer < CommonMarker::HtmlRenderer
|
34
|
+
raise ArgumentError, "`commonmark_renderer` must be derived from `CommonMarker::HtmlRenderer`"
|
35
|
+
end
|
36
|
+
parse_options = :DEFAULT
|
37
|
+
parse_options = [:UNSAFE] if context[:unsafe]
|
38
|
+
|
39
|
+
render_options = [:GITHUB_PRE_LANG]
|
40
|
+
render_options << :HARDBREAKS if context[:gfm] != false
|
41
|
+
render_options = [:UNSAFE] if context[:unsafe]
|
42
|
+
|
43
|
+
doc = CommonMarker.render_doc(@text, parse_options, extensions)
|
44
|
+
renderer.new(options: render_options, extensions: extensions).render(doc)
|
45
|
+
else
|
46
|
+
options = [:GITHUB_PRE_LANG]
|
47
|
+
options << :HARDBREAKS if context[:gfm] != false
|
48
|
+
options << :UNSAFE if context[:unsafe]
|
49
|
+
CommonMarker.render_html(@text, options, extensions)
|
50
|
+
end
|
34
51
|
html.rstrip!
|
35
52
|
html
|
36
53
|
end
|
@@ -4,7 +4,7 @@ HTML::Pipeline.require_dependency('sanitize', 'SanitizationFilter')
|
|
4
4
|
|
5
5
|
module HTML
|
6
6
|
class Pipeline
|
7
|
-
# HTML filter with sanization routines and
|
7
|
+
# HTML filter with sanization routines and allowlists. This module defines
|
8
8
|
# what HTML is allowed in user provided content and fixes up issues with
|
9
9
|
# unbalanced tags and whatnot.
|
10
10
|
#
|
@@ -13,13 +13,13 @@ module HTML
|
|
13
13
|
# https://github.com/rgrove/sanitize/#readme
|
14
14
|
#
|
15
15
|
# Context options:
|
16
|
-
# :
|
16
|
+
# :allowlist - The sanitizer allowlist configuration to use. This
|
17
17
|
# can be one of the options constants defined in this
|
18
18
|
# class or a custom sanitize options hash.
|
19
19
|
# :anchor_schemes - The URL schemes to allow in <a href> attributes. The
|
20
20
|
# default set is provided in the ANCHOR_SCHEMES
|
21
21
|
# constant in this class. If passed, this overrides any
|
22
|
-
# schemes specified in the
|
22
|
+
# schemes specified in the allowlist configuration.
|
23
23
|
#
|
24
24
|
# This filter does not write additional information to the context.
|
25
25
|
class SanitizationFilter < Filter
|
@@ -37,9 +37,9 @@ module HTML
|
|
37
37
|
# These schemes are the only ones allowed in <a href> attributes by default.
|
38
38
|
ANCHOR_SCHEMES = ['http', 'https', 'mailto', 'xmpp', :relative, 'github-windows', 'github-mac', 'irc', 'ircs'].freeze
|
39
39
|
|
40
|
-
# The main sanitization
|
40
|
+
# The main sanitization allowlist. Only these elements and attributes are
|
41
41
|
# allowed through by default.
|
42
|
-
|
42
|
+
ALLOWLIST = {
|
43
43
|
elements: %w[
|
44
44
|
h1 h2 h3 h4 h5 h6 h7 h8 br b i strong em a pre code img tt
|
45
45
|
div ins del sup sub p ol ul table thead tbody tfoot blockquote
|
@@ -68,8 +68,8 @@ module HTML
|
|
68
68
|
hspace ismap label lang
|
69
69
|
maxlength media method
|
70
70
|
multiple name nohref noshade
|
71
|
-
nowrap open prompt readonly rel rev
|
72
|
-
rows rowspan rules scope
|
71
|
+
nowrap open progress prompt readonly rel rev
|
72
|
+
role rows rowspan rules scope
|
73
73
|
selected shape size span
|
74
74
|
start summary tabindex target
|
75
75
|
title type usemap valign value
|
@@ -108,10 +108,10 @@ module HTML
|
|
108
108
|
].freeze
|
109
109
|
}.freeze
|
110
110
|
|
111
|
-
# A more limited sanitization
|
112
|
-
# protocols, and transformers from
|
111
|
+
# A more limited sanitization allowlist. This includes all attributes,
|
112
|
+
# protocols, and transformers from ALLOWLIST but with a more locked down
|
113
113
|
# set of allowed elements.
|
114
|
-
LIMITED =
|
114
|
+
LIMITED = ALLOWLIST.merge(
|
115
115
|
elements: %w[b i strong em a pre code img ins del sup sub mark abbr p ol ul li]
|
116
116
|
)
|
117
117
|
|
@@ -120,19 +120,24 @@ module HTML
|
|
120
120
|
|
121
121
|
# Sanitize markup using the Sanitize library.
|
122
122
|
def call
|
123
|
-
Sanitize.clean_node!(doc,
|
123
|
+
Sanitize.clean_node!(doc, allowlist)
|
124
124
|
end
|
125
125
|
|
126
|
-
# The whitelist to use when sanitizing. This can be passed in the context
|
127
|
-
# hash to the filter but defaults to WHITELIST constant value above.
|
128
126
|
def whitelist
|
129
|
-
|
127
|
+
warn "[DEPRECATION] 'whitelist' is deprecated. Please use 'allowlist' instead."
|
128
|
+
allowlist
|
129
|
+
end
|
130
|
+
|
131
|
+
# The allowlist to use when sanitizing. This can be passed in the context
|
132
|
+
# hash to the filter but defaults to ALLOWLIST constant value above.
|
133
|
+
def allowlist
|
134
|
+
allowlist = context[:allowlist] || context[:whitelist] || ALLOWLIST
|
130
135
|
anchor_schemes = context[:anchor_schemes]
|
131
|
-
return
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
+
return allowlist unless anchor_schemes
|
137
|
+
allowlist = allowlist.dup
|
138
|
+
allowlist[:protocols] = (allowlist[:protocols] || {}).dup
|
139
|
+
allowlist[:protocols]['a'] = (allowlist[:protocols]['a'] || {}).merge('href' => anchor_schemes)
|
140
|
+
allowlist
|
136
141
|
end
|
137
142
|
end
|
138
143
|
end
|
@@ -4,8 +4,15 @@ HTML::Pipeline.require_dependency('rouge', 'SyntaxHighlightFilter')
|
|
4
4
|
|
5
5
|
module HTML
|
6
6
|
class Pipeline
|
7
|
-
# HTML Filter that syntax highlights code blocks
|
8
|
-
#
|
7
|
+
# HTML Filter that syntax highlights text inside code blocks.
|
8
|
+
#
|
9
|
+
# Context options:
|
10
|
+
#
|
11
|
+
# :highlight => String represents the language to pick lexer. Defaults to empty string.
|
12
|
+
# :scope => String represents the class attribute adds to pre element after.
|
13
|
+
# Defaults to "highlight highlight-css" if highlights a css code block.
|
14
|
+
#
|
15
|
+
# This filter does not write any additional information to the context hash.
|
9
16
|
class SyntaxHighlightFilter < Filter
|
10
17
|
def initialize(*args)
|
11
18
|
super(*args)
|
@@ -17,23 +24,20 @@ module HTML
|
|
17
24
|
default = context[:highlight] && context[:highlight].to_s
|
18
25
|
next unless lang = node['lang'] || default
|
19
26
|
next unless lexer = lexer_for(lang)
|
20
|
-
text = node.inner_text
|
21
27
|
|
22
|
-
|
28
|
+
text = node.inner_text
|
29
|
+
html = highlight_with_timeout_handling(text, lexer)
|
23
30
|
next if html.nil?
|
24
31
|
|
25
32
|
node.inner_html = html
|
26
|
-
|
27
|
-
|
28
|
-
klass = [klass, scope].compact.join ' '
|
29
|
-
|
30
|
-
node['class'] = klass
|
33
|
+
scope = context.fetch(:scope) { 'highlight' }
|
34
|
+
node['class'] = "#{scope} #{scope}-#{lang}"
|
31
35
|
end
|
32
36
|
doc
|
33
37
|
end
|
34
38
|
|
35
|
-
def highlight_with_timeout_handling(text,
|
36
|
-
Rouge.highlight(text,
|
39
|
+
def highlight_with_timeout_handling(text, lexer)
|
40
|
+
Rouge.highlight(text, lexer, @formatter)
|
37
41
|
rescue Timeout::Error => _
|
38
42
|
nil
|
39
43
|
end
|
metadata
CHANGED
@@ -1,16 +1,16 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: html-pipeline
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.13.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Tomayko
|
8
8
|
- Jerry Cheung
|
9
9
|
- Garen J. Torikian
|
10
|
-
autorequire:
|
10
|
+
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date:
|
13
|
+
date: 2020-12-02 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: activesupport
|
@@ -49,6 +49,7 @@ executables: []
|
|
49
49
|
extensions: []
|
50
50
|
extra_rdoc_files: []
|
51
51
|
files:
|
52
|
+
- ".github/FUNDING.yml"
|
52
53
|
- ".gitignore"
|
53
54
|
- ".travis.yml"
|
54
55
|
- Appraisals
|
@@ -106,9 +107,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
106
107
|
- !ruby/object:Gem::Version
|
107
108
|
version: '0'
|
108
109
|
requirements: []
|
109
|
-
|
110
|
-
|
111
|
-
signing_key:
|
110
|
+
rubygems_version: 3.1.2
|
111
|
+
signing_key:
|
112
112
|
specification_version: 4
|
113
113
|
summary: Helpers for processing content through a chain of filters
|
114
114
|
test_files: []
|