proclaim 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 95376276542d333bb59c9ae6c18791bed276b629
-  data.tar.gz: 3d7f91736e0aabd04624da823c4973b072be0270
+  metadata.gz: 499990491b4ea6af55296e35da87462bf821f3ab
+  data.tar.gz: 160b0d32c648e01aadd3aa630a0c4ae37e4178ac
 SHA512:
-  metadata.gz: 92414f0b8e9f7b4a2059a06868e2e68fd39d5e9dd4e2a8702da1232f07ab2705ec217cf45c8a36aed960b4569671c7abdcab85b157bf1789e0e780bbbb59b1df
-  data.tar.gz: d6fa347afc769970dd4eb03bacd3d677e6665897db1a5e391e0679db2acae90716f869ef2307ae3828c15fc545faeb9f032a478fb0b57bc64f1fd42a2f7ee590
+  metadata.gz: 488d2f108123f326b091a1fe98e5c75702cef2a5f9ae0b1f66b9183ae65b188793007b3a49f759dc9f2cddad67a8430bf8fc9f26cd13c250f2c6c6ac1408539a
+  data.tar.gz: 301cba906510fb9f2edc22eee6434ba821cbebacec2992ad816004e176e9c2be01f15087747d6f2158d4c1008e11ecff55fb10dd325183244fbf8326459e6e23

data/CHANGELOG

@@ -1,3 +1,7 @@
+v 0.3.0
+  - Implemented sanitization for post body, using lists of allowed HTML tags and
+    attributes that can be customized via initializer.
+
 v 0.2.4
   - Added simple format to comments, to preserve line breaks
 

data/README.md

@@ -29,7 +29,7 @@ Proclaim 0.2 works with Rails 4.2 and on, with Ruby 1.9.3 and on. Add it to your
 Gemfile with:
 
 ```ruby
-gem 'proclaim', "~> 0.2.4"
+gem 'proclaim', "~> 0.3.0"
 ```
 
 Run `bundle install` to install it.
@@ -105,7 +105,16 @@ Proclaim.author_name_method = :name
 Proclaim.current_author_method = :current_user
 Proclaim.authentication_method = :authenticate_user!
 Proclaim.excerpt_length = 500
-Proclaim.editor_toolbar_buttons = ['bold', 'italic', 'underline', 'anchor', 'header1', 'header2', 'quote']
+Proclaim.editor_toolbar_buttons = ['bold', 'italic', 'underline', 'anchor',
+                                   'header1', 'header2', 'quote']
+Proclaim.editor_whitelist_tags = %w(h1 h2 h3 h4 h5 h6
+                                    div p blockquote
+                                    ul ol li
+                                    a b strong i u
+                                    img figure
+                                    pre sup sub br)
+Proclaim.editor_whitelist_attributes = %w(class id style href title src alt
+                                          align draggable)
 Proclaim.mailer_sender = nil
 ```
 
@@ -141,6 +150,14 @@ Proclaim.mailer_sender = nil
   The buttons to be displayed on the Medium Editor toolbar. For a full list of
   options, see the README for [that project][1].
 
+- **Proclaim.editor_whitelist_tags**
+
+  A list of all HTML tags that are allowed in the post body.
+
+- **Proclaim.editor_whitelist_attributes**
+
+  A list of all HTML attributes that are allowed in the post body.
+
 - **Proclaim.mailer_sender**
 
   The email address to use in the "from" field of all emails from Proclaim. If

data/VERSION

@@ -1 +1 @@
-0.2.4
+0.3.0

data/app/models/proclaim/post.rb

@@ -41,6 +41,7 @@ module Proclaim
 		validates_presence_of :title, :body, :author
 		validate :verifyBodyHtml
 
+		before_save :sanitizeBody
 		after_save :notifyBlogSubscribersIfPublished
 
 		attr_writer :excerpt_length
@@ -78,6 +79,17 @@ module Proclaim
 			end
 		end
 
+		def sanitizeBody
+			unless Proclaim.editor_whitelist_tags.blank? and
+			       Proclaim.editor_whitelist_attributes.blank?
+				sanitizer = Rails::Html::WhiteListSanitizer.new
+				self.body = sanitizer.sanitize(
+				                   body,
+				                   tags: Proclaim.editor_whitelist_tags,
+				                   attributes: Proclaim.editor_whitelist_attributes)
+			end
+		end
+
 		def takeExcerptOf(text)
 			if excerpt_length >= text.length
 				return text

data/lib/generators/proclaim/templates/initialize_proclaim.rb

@@ -21,7 +21,20 @@ Proclaim.setup do |config|
 	#config.excerpt_length = 500
 
 	# Buttons to display on post editor toolbar
-	#config.editor_toolbar_buttons = ['bold', 'italic', 'underline', 'anchor', 'header1', 'header2', 'quote']
+	#config.editor_toolbar_buttons = ['bold', 'italic', 'underline', 'anchor',
+	#                                 'header1', 'header2', 'quote']
+
+	# Whitelist of HTML tags to be supported by the editor
+	#config.editor_whitelist_tags = %w(h1 h2 h3 h4 h5 h6
+	#                                  div p blockquote
+	#                                  ul ol li
+	#                                  a b strong i u
+	#                                  img figure
+	#                                  pre sup sub br)
+
+	# Whitelist of HTML attributes to be supported by the editor
+	#config.editor_whitelist_attributes = %w(class id style href title src alt
+	#                                        align draggable)
 
 	# Email address to use in the "from" field of all emails
 	#config.mailer_sender = '"My Blog" <blog@example.com>'

data/lib/proclaim.rb

@@ -17,7 +17,20 @@ module Proclaim
 	@@excerpt_length = 500 # 500 characters (won't interrupt words)
 
 	mattr_accessor :editor_toolbar_buttons
-	@@editor_toolbar_buttons = ['bold', 'italic', 'underline', 'anchor', 'header1', 'header2', 'quote']
+	@@editor_toolbar_buttons = ['bold', 'italic', 'underline', 'anchor',
+	                            'header1', 'header2', 'quote']
+
+	mattr_accessor :editor_whitelist_tags
+	@@editor_whitelist_tags = %w(h1 h2 h3 h4 h5 h6
+	                             div p blockquote
+	                             ul ol li
+	                             a b strong i u
+	                             img figure
+	                             pre sup sub br)
+
+	mattr_accessor :editor_whitelist_attributes
+	@@editor_whitelist_attributes = %w(class id style href title src alt align
+	                                   draggable)
 
 	mattr_accessor :mailer_sender
 	@@mailer_sender = nil

data/lib/proclaim/engine.rb

@@ -2,6 +2,7 @@ require 'rails'
 require 'coffee-rails'
 require 'sass-rails'
 require 'jquery-rails'
+require 'htmlentities'
 require 'closure_tree'
 require 'font-awesome-rails'
 require 'medium-editor-rails'

data/lib/proclaim/version.rb

@@ -1,3 +1,3 @@
 module Proclaim
-  VERSION = "0.2.4"
+  VERSION = "0.3.0"
 end

data/proclaim.gemspec

@@ -26,6 +26,7 @@ Gem::Specification.new do |s|
 	s.add_dependency "coffee-rails", "~> 4.1"
 	s.add_dependency "sass-rails", "~> 5.0"
 	s.add_dependency "jquery-rails", "~> 4.0"
+	s.add_dependency "htmlentities", "~> 4.3"
 	s.add_dependency "nokogiri", "~> 1.6"
 	s.add_dependency "premailer", "~> 1.8"
 	s.add_dependency "closure_tree", "~> 5.2"

data/test/controllers/proclaim/posts_controller_test.rb

@@ -151,7 +151,7 @@ module Proclaim
 
 			document = Nokogiri::HTML.fragment(post.body)
 			image_tags = document.css("img")
-			assert_equal 1, image_tags.count
+			assert_equal 1, image_tags.count, "Post body should have one image tag"
 
 			# Note that, now that the image is saved, this URL is different than
 			# the one submitted to :create
@@ -288,7 +288,8 @@ module Proclaim
 
 			document = Nokogiri::HTML.fragment(post.body)
 			image_tags = document.css("img")
-			assert_equal 1, image_tags.count
+			assert_equal 1, image_tags.count,
+			             "Post body should contain one image tag"
 
 			# Note that, now that the image is saved, this URL is different than
 			# the one submitted to :create

data/test/integration/without_javascript/post_test.rb

@@ -163,7 +163,8 @@ class PostTest < ActionDispatch::IntegrationTest
 
 		image_tags = Nokogiri::HTML.fragment(image.post.body).css("img")
 
-		assert_equal 1, image_tags.length
+		assert_equal 1, image_tags.length,
+		             "Post body should contain one image tag"
 		refute_match root_url, image_tags[0].attribute("src"),
 		             "Images should have relative paths"
 	end

data/test/mailers/proclaim/subscription_mailer_test.rb

@@ -69,7 +69,7 @@ module Proclaim
 
 			image_tags = Nokogiri::HTML(get_html_part(mail)).css("img")
 
-			assert_equal 1, image_tags.length
+			assert_equal 1, image_tags.length, "Email should have one image tag"
 			assert_match root_url, image_tags[0].attribute("src"),
 				          "Images should have absolute URLs in emails"
 		end

data/test/models/proclaim/post_test.rb

@@ -123,5 +123,12 @@ module Proclaim
 			                         body: "This is outside.<p>This is inside.</p>")
 			assert_equal "This is outside.", post.excerpt
 		end
+
+		test "verify body sanitization" do
+			post = FactoryGirl.create(:post,
+			                          body: "foo <script>alert('bar');</script>")
+
+			assert_equal "foo alert('bar');", post.body
+		end
 	end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: proclaim
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Kyle Fazzari
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-17 00:00:00.000000000 Z
+date: 2015-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: htmlentities
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.3'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement