html-pipeline 2.12.1 → 2.13.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/FUNDING.yml +4 -0
- data/CHANGELOG.md +14 -0
- data/Gemfile +1 -0
- data/README.md +11 -8
- data/lib/html/pipeline/autolink_filter.rb +6 -1
- data/lib/html/pipeline/camo_filter.rb +14 -4
- data/lib/html/pipeline/markdown_filter.rb +1 -0
- data/lib/html/pipeline/sanitization_filter.rb +24 -19
- data/lib/html/pipeline/syntax_highlight_filter.rb +15 -11
- data/lib/html/pipeline/version.rb +1 -1
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 33b990d538fedcc5cfba4af72d2559a512e4ee624db46fd69f6512f5f7125579
|
|
4
|
+
data.tar.gz: f42006e2e85a96bfd2abad353ebc730f830bcc2dfbab05952cd1a875017f0ed5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3591baf92c161af1b0b592bdce211aa80fad0a82a516f17831526dcc632983f290651be7e9912ef89bd2f4bb4782773d1035dbf4e9e0f832212a1ab4af2c1b30
|
|
7
|
+
data.tar.gz: d7147a563129eedada76f3e7d3ee89daf03cd4ece33efe6fcf99a9c622c5928ae867c2eeb7c0b77a6d6b812d89496ea3024040229f924856e3adb60096b37445
|
data/.github/FUNDING.yml
ADDED
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,19 @@
|
|
|
1
1
|
# CHANGELOG
|
|
2
2
|
|
|
3
|
+
## 2.12.3
|
|
4
|
+
|
|
5
|
+
* Bug fix in `SyntaxHighlightFilter` [#325](https://github.com/jch/html-pipeline/pull/325)
|
|
6
|
+
|
|
7
|
+
## 2.12.2
|
|
8
|
+
|
|
9
|
+
* Allow unsafe option for Custom Renderer of `MarkdownFilter` [#322](https://github.com/jch/html-pipeline/pull/322)
|
|
10
|
+
* Test with minitest-focus
|
|
11
|
+
|
|
12
|
+
## 2.12.1
|
|
13
|
+
|
|
14
|
+
* Allow Custom Renderer for `MarkdownFilter` [#318](https://github.com/jch/html-pipeline/pull/318)
|
|
15
|
+
* Test against more Rails versions
|
|
16
|
+
|
|
3
17
|
## 2.12.0
|
|
4
18
|
|
|
5
19
|
* Team mention filter [#314](https://github.com/jch/html-pipeline/pull/314)
|
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
# HTML::Pipeline [](https://travis-ci.org/jch/html-pipeline)
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
HTML processing filters and utilities. This module includes a small
|
|
4
4
|
framework for defining DOM based content filters and applying them to user
|
|
5
|
-
provided content.
|
|
6
|
-
|
|
5
|
+
provided content.
|
|
6
|
+
|
|
7
|
+
[This project was started at GitHub](https://github.com/blog/1311-html-pipeline-chainable-content-filters). While GitHub still uses a similar design and pattern for rendering content, this gem should be considered standalone and independent from GitHub.
|
|
7
8
|
|
|
8
9
|
- [Installation](#installation)
|
|
9
10
|
- [Usage](#usage)
|
|
@@ -32,7 +33,7 @@ And then execute:
|
|
|
32
33
|
$ bundle
|
|
33
34
|
```
|
|
34
35
|
|
|
35
|
-
Or install it yourself as:
|
|
36
|
+
Or install it by yourself as:
|
|
36
37
|
|
|
37
38
|
```sh
|
|
38
39
|
$ gem install html-pipeline
|
|
@@ -82,7 +83,7 @@ Prints:
|
|
|
82
83
|
</code></pre>
|
|
83
84
|
```
|
|
84
85
|
|
|
85
|
-
To generate CSS for HTML formatted code, use the [Rouge CSS Theme](https://github.com/
|
|
86
|
+
To generate CSS for HTML formatted code, use the [Rouge CSS Theme](https://github.com/rouge-ruby/rouge#css-options) `#css` method. `rouge` is a dependency of the `SyntaxHighlightFilter`.
|
|
86
87
|
|
|
87
88
|
Some filters take an optional **context** and/or **result** hash. These are
|
|
88
89
|
used to pass around arguments and metadata between filters in a pipeline. For
|
|
@@ -163,7 +164,7 @@ EmojiPipeline = Pipeline.new [
|
|
|
163
164
|
* `ImageMaxWidthFilter` - link to full size image for large images
|
|
164
165
|
* `MarkdownFilter` - convert markdown to html
|
|
165
166
|
* `PlainTextInputFilter` - html escape text and wrap the result in a div
|
|
166
|
-
* `SanitizationFilter` -
|
|
167
|
+
* `SanitizationFilter` - allow sanitize user markup
|
|
167
168
|
* `SyntaxHighlightFilter` - code syntax highlighter
|
|
168
169
|
* `TextileFilter` - convert textile to html
|
|
169
170
|
* `TableOfContentsFilter` - anchor headings with name attributes and generate Table of Contents html unordered list linking headings
|
|
@@ -329,9 +330,9 @@ html_fragment = "This is outside of an html element, but <strong>this isn't. :+1
|
|
|
329
330
|
EmojiPipeline.call("<div>#{html_fragment}</div>") # <- Wrap your own html fragments to avoid escaping
|
|
330
331
|
```
|
|
331
332
|
|
|
332
|
-
### 2. How do I customize
|
|
333
|
+
### 2. How do I customize an allowlist for `SanitizationFilter`s?
|
|
333
334
|
|
|
334
|
-
`SanitizationFilter::
|
|
335
|
+
`SanitizationFilter::ALLOWLIST` is the default allowlist used if no `:allowlist`
|
|
335
336
|
argument is given in the context. The default is a good starting template for
|
|
336
337
|
you to add additional elements. You can either modify the constant's value, or
|
|
337
338
|
re-define your own constant and pass that in via the context.
|
|
@@ -354,6 +355,8 @@ Thanks to all of [these contributors](https://github.com/jch/html-pipeline/graph
|
|
|
354
355
|
|
|
355
356
|
Project is a member of the [OSS Manifesto](http://ossmanifesto.org/).
|
|
356
357
|
|
|
358
|
+
The current maintainer is @gjtorikian
|
|
359
|
+
|
|
357
360
|
### Releasing A New Version
|
|
358
361
|
|
|
359
362
|
This section is for gem maintainers to cut a new version of the gem.
|
|
@@ -8,6 +8,7 @@ module HTML
|
|
|
8
8
|
#
|
|
9
9
|
# Context options:
|
|
10
10
|
# :autolink - boolean whether to autolink urls
|
|
11
|
+
# :link_mode - :all, :urls or :email_addresses
|
|
11
12
|
# :link_attr - HTML attributes for the link that will be generated
|
|
12
13
|
# :skip_tags - HTML tags inside which autolinking will be skipped.
|
|
13
14
|
# See Rinku.skip_tags
|
|
@@ -22,7 +23,11 @@ module HTML
|
|
|
22
23
|
flags = 0
|
|
23
24
|
flags |= context[:flags] if context[:flags]
|
|
24
25
|
|
|
25
|
-
Rinku.auto_link(html,
|
|
26
|
+
Rinku.auto_link(html, link_mode, context[:link_attr], skip_tags, flags)
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def link_mode
|
|
30
|
+
context[:link_mode] || :urls
|
|
26
31
|
end
|
|
27
32
|
end
|
|
28
33
|
end
|
|
@@ -16,7 +16,7 @@ module HTML
|
|
|
16
16
|
# Context options:
|
|
17
17
|
# :asset_proxy (required) - Base URL for constructed asset proxy URLs.
|
|
18
18
|
# :asset_proxy_secret_key (required) - The shared secret used to encode URLs.
|
|
19
|
-
# :
|
|
19
|
+
# :asset_proxy_allowlist - Array of host Strings or Regexps to skip
|
|
20
20
|
# src rewriting.
|
|
21
21
|
#
|
|
22
22
|
# This filter does not write additional information to the context.
|
|
@@ -37,7 +37,7 @@ module HTML
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
next if uri.host.nil?
|
|
40
|
-
next if
|
|
40
|
+
next if asset_host_allowed?(uri.host)
|
|
41
41
|
|
|
42
42
|
element['src'] = asset_proxy_url(original_src)
|
|
43
43
|
element['data-canonical-src'] = original_src
|
|
@@ -76,11 +76,21 @@ module HTML
|
|
|
76
76
|
end
|
|
77
77
|
|
|
78
78
|
def asset_proxy_whitelist
|
|
79
|
-
|
|
79
|
+
warn "[DEPRECATION] 'asset_proxy_whitelist' is deprecated. Please use 'asset_proxy_allowlist' instead."
|
|
80
|
+
asset_proxy_allowlist
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
def asset_proxy_allowlist
|
|
84
|
+
context[:asset_proxy_allowlist] || context[:asset_proxy_whitelist] || []
|
|
80
85
|
end
|
|
81
86
|
|
|
82
87
|
def asset_host_whitelisted?(host)
|
|
83
|
-
|
|
88
|
+
warn "[DEPRECATION] 'asset_host_whitelisted?' is deprecated. Please use 'asset_host_allowed?' instead."
|
|
89
|
+
asset_host_allowed?(host)
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
def asset_host_allowed?(host)
|
|
93
|
+
asset_proxy_allowlist.any? do |test|
|
|
84
94
|
test.is_a?(String) ? host == test : test.match(host)
|
|
85
95
|
end
|
|
86
96
|
end
|
|
@@ -38,6 +38,7 @@ module HTML
|
|
|
38
38
|
|
|
39
39
|
render_options = [:GITHUB_PRE_LANG]
|
|
40
40
|
render_options << :HARDBREAKS if context[:gfm] != false
|
|
41
|
+
render_options << :UNSAFE if context[:unsafe]
|
|
41
42
|
|
|
42
43
|
doc = CommonMarker.render_doc(@text, parse_options, extensions)
|
|
43
44
|
renderer.new(options: render_options, extensions: extensions).render(doc)
|
|
@@ -4,7 +4,7 @@ HTML::Pipeline.require_dependency('sanitize', 'SanitizationFilter')
|
|
|
4
4
|
|
|
5
5
|
module HTML
|
|
6
6
|
class Pipeline
|
|
7
|
-
# HTML filter with sanization routines and
|
|
7
|
+
# HTML filter with sanization routines and allowlists. This module defines
|
|
8
8
|
# what HTML is allowed in user provided content and fixes up issues with
|
|
9
9
|
# unbalanced tags and whatnot.
|
|
10
10
|
#
|
|
@@ -13,13 +13,13 @@ module HTML
|
|
|
13
13
|
# https://github.com/rgrove/sanitize/#readme
|
|
14
14
|
#
|
|
15
15
|
# Context options:
|
|
16
|
-
# :
|
|
16
|
+
# :allowlist - The sanitizer allowlist configuration to use. This
|
|
17
17
|
# can be one of the options constants defined in this
|
|
18
18
|
# class or a custom sanitize options hash.
|
|
19
19
|
# :anchor_schemes - The URL schemes to allow in <a href> attributes. The
|
|
20
20
|
# default set is provided in the ANCHOR_SCHEMES
|
|
21
21
|
# constant in this class. If passed, this overrides any
|
|
22
|
-
# schemes specified in the
|
|
22
|
+
# schemes specified in the allowlist configuration.
|
|
23
23
|
#
|
|
24
24
|
# This filter does not write additional information to the context.
|
|
25
25
|
class SanitizationFilter < Filter
|
|
@@ -37,9 +37,9 @@ module HTML
|
|
|
37
37
|
# These schemes are the only ones allowed in <a href> attributes by default.
|
|
38
38
|
ANCHOR_SCHEMES = ['http', 'https', 'mailto', 'xmpp', :relative, 'github-windows', 'github-mac', 'irc', 'ircs'].freeze
|
|
39
39
|
|
|
40
|
-
# The main sanitization
|
|
40
|
+
# The main sanitization allowlist. Only these elements and attributes are
|
|
41
41
|
# allowed through by default.
|
|
42
|
-
|
|
42
|
+
ALLOWLIST = {
|
|
43
43
|
elements: %w[
|
|
44
44
|
h1 h2 h3 h4 h5 h6 h7 h8 br b i strong em a pre code img tt
|
|
45
45
|
div ins del sup sub p ol ul table thead tbody tfoot blockquote
|
|
@@ -68,8 +68,8 @@ module HTML
|
|
|
68
68
|
hspace ismap label lang
|
|
69
69
|
maxlength media method
|
|
70
70
|
multiple name nohref noshade
|
|
71
|
-
nowrap open prompt readonly rel rev
|
|
72
|
-
rows rowspan rules scope
|
|
71
|
+
nowrap open progress prompt readonly rel rev
|
|
72
|
+
role rows rowspan rules scope
|
|
73
73
|
selected shape size span
|
|
74
74
|
start summary tabindex target
|
|
75
75
|
title type usemap valign value
|
|
@@ -108,10 +108,10 @@ module HTML
|
|
|
108
108
|
].freeze
|
|
109
109
|
}.freeze
|
|
110
110
|
|
|
111
|
-
# A more limited sanitization
|
|
112
|
-
# protocols, and transformers from
|
|
111
|
+
# A more limited sanitization allowlist. This includes all attributes,
|
|
112
|
+
# protocols, and transformers from ALLOWLIST but with a more locked down
|
|
113
113
|
# set of allowed elements.
|
|
114
|
-
LIMITED =
|
|
114
|
+
LIMITED = ALLOWLIST.merge(
|
|
115
115
|
elements: %w[b i strong em a pre code img ins del sup sub mark abbr p ol ul li]
|
|
116
116
|
)
|
|
117
117
|
|
|
@@ -120,19 +120,24 @@ module HTML
|
|
|
120
120
|
|
|
121
121
|
# Sanitize markup using the Sanitize library.
|
|
122
122
|
def call
|
|
123
|
-
Sanitize.clean_node!(doc,
|
|
123
|
+
Sanitize.clean_node!(doc, allowlist)
|
|
124
124
|
end
|
|
125
125
|
|
|
126
|
-
# The whitelist to use when sanitizing. This can be passed in the context
|
|
127
|
-
# hash to the filter but defaults to WHITELIST constant value above.
|
|
128
126
|
def whitelist
|
|
129
|
-
|
|
127
|
+
warn "[DEPRECATION] 'whitelist' is deprecated. Please use 'allowlist' instead."
|
|
128
|
+
allowlist
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
# The allowlist to use when sanitizing. This can be passed in the context
|
|
132
|
+
# hash to the filter but defaults to ALLOWLIST constant value above.
|
|
133
|
+
def allowlist
|
|
134
|
+
allowlist = context[:allowlist] || context[:whitelist] || ALLOWLIST
|
|
130
135
|
anchor_schemes = context[:anchor_schemes]
|
|
131
|
-
return
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
+
return allowlist unless anchor_schemes
|
|
137
|
+
allowlist = allowlist.dup
|
|
138
|
+
allowlist[:protocols] = (allowlist[:protocols] || {}).dup
|
|
139
|
+
allowlist[:protocols]['a'] = (allowlist[:protocols]['a'] || {}).merge('href' => anchor_schemes)
|
|
140
|
+
allowlist
|
|
136
141
|
end
|
|
137
142
|
end
|
|
138
143
|
end
|
|
@@ -4,8 +4,15 @@ HTML::Pipeline.require_dependency('rouge', 'SyntaxHighlightFilter')
|
|
|
4
4
|
|
|
5
5
|
module HTML
|
|
6
6
|
class Pipeline
|
|
7
|
-
# HTML Filter that syntax highlights code blocks
|
|
8
|
-
#
|
|
7
|
+
# HTML Filter that syntax highlights text inside code blocks.
|
|
8
|
+
#
|
|
9
|
+
# Context options:
|
|
10
|
+
#
|
|
11
|
+
# :highlight => String represents the language to pick lexer. Defaults to empty string.
|
|
12
|
+
# :scope => String represents the class attribute adds to pre element after.
|
|
13
|
+
# Defaults to "highlight highlight-css" if highlights a css code block.
|
|
14
|
+
#
|
|
15
|
+
# This filter does not write any additional information to the context hash.
|
|
9
16
|
class SyntaxHighlightFilter < Filter
|
|
10
17
|
def initialize(*args)
|
|
11
18
|
super(*args)
|
|
@@ -17,23 +24,20 @@ module HTML
|
|
|
17
24
|
default = context[:highlight] && context[:highlight].to_s
|
|
18
25
|
next unless lang = node['lang'] || default
|
|
19
26
|
next unless lexer = lexer_for(lang)
|
|
20
|
-
text = node.inner_text
|
|
21
27
|
|
|
22
|
-
|
|
28
|
+
text = node.inner_text
|
|
29
|
+
html = highlight_with_timeout_handling(text, lexer)
|
|
23
30
|
next if html.nil?
|
|
24
31
|
|
|
25
32
|
node.inner_html = html
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
klass = [klass, scope].compact.join ' '
|
|
29
|
-
|
|
30
|
-
node['class'] = klass
|
|
33
|
+
scope = context.fetch(:scope) { 'highlight' }
|
|
34
|
+
node['class'] = "#{scope} #{scope}-#{lang}"
|
|
31
35
|
end
|
|
32
36
|
doc
|
|
33
37
|
end
|
|
34
38
|
|
|
35
|
-
def highlight_with_timeout_handling(text,
|
|
36
|
-
Rouge.highlight(text,
|
|
39
|
+
def highlight_with_timeout_handling(text, lexer)
|
|
40
|
+
Rouge.highlight(text, lexer, @formatter)
|
|
37
41
|
rescue Timeout::Error => _
|
|
38
42
|
nil
|
|
39
43
|
end
|
metadata
CHANGED
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: html-pipeline
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.13.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ryan Tomayko
|
|
8
8
|
- Jerry Cheung
|
|
9
9
|
- Garen J. Torikian
|
|
10
|
-
autorequire:
|
|
10
|
+
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2020-12-04 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: activesupport
|
|
@@ -49,6 +49,7 @@ executables: []
|
|
|
49
49
|
extensions: []
|
|
50
50
|
extra_rdoc_files: []
|
|
51
51
|
files:
|
|
52
|
+
- ".github/FUNDING.yml"
|
|
52
53
|
- ".gitignore"
|
|
53
54
|
- ".travis.yml"
|
|
54
55
|
- Appraisals
|
|
@@ -106,8 +107,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
106
107
|
- !ruby/object:Gem::Version
|
|
107
108
|
version: '0'
|
|
108
109
|
requirements: []
|
|
109
|
-
rubygems_version: 3.
|
|
110
|
-
signing_key:
|
|
110
|
+
rubygems_version: 3.1.2
|
|
111
|
+
signing_key:
|
|
111
112
|
specification_version: 4
|
|
112
113
|
summary: Helpers for processing content through a chain of filters
|
|
113
114
|
test_files: []
|