RubyGems - qiita-markdown - Versions diffs - 0.18.0 → 0.19.0 - Mend

qiita-markdown 0.18.0 → 0.19.0

Potentially problematic release.

This version of qiita-markdown might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
data/.travis.yml +0 -2
data/CHANGELOG.md +6 -0
data/lib/qiita/markdown.rb +2 -1
data/lib/qiita/markdown/filters/{sanitize.rb → final_sanitizer.rb} +7 -1
data/lib/qiita/markdown/filters/simplify.rb +2 -2
data/lib/qiita/markdown/filters/user_input_sanitizer.rb +102 -0
data/lib/qiita/markdown/processor.rb +2 -1
data/lib/qiita/markdown/summary_processor.rb +2 -1
data/lib/qiita/markdown/version.rb +1 -1
data/qiita-markdown.gemspec +1 -1
data/spec/qiita/markdown/processor_spec.rb +931 -792
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 142f1f300d42442f62e84b3ffe54321caa229b2b
-  data.tar.gz: 8029e1417074df1acc82af5cfd075efebe87c959
+  metadata.gz: 83c8da2e7dd55be72fce627ec6b14cb23362346e
+  data.tar.gz: 5752e8dae6fbbd5c9f9f94dc3e4a4320b9d222fa
 SHA512:
-  metadata.gz: db7ea2bc3c6e992848e569c695dddb5923d8aeba7f289eb845c6feea58b7150152317df655540350db6967d0871b93ebaa6e7fc82c475742b6ad95f98c779cb1
-  data.tar.gz: c98d93c9fd42393475a09560131d125eafe6d5f43ac429b333a2b2dfecfacf4c9fb8035c5a1cc3234c1209417591ba86aaac409501750a5c1b1c013198904b23
+  metadata.gz: 885e5a8cc2397dfedbe970b5f85e8dc952275986912149c3a24a1068b32b1c0922b7d1fb9a19db93133410d130ccbe4cda3d45218dc15bbc9b43baf5070cf0bb
+  data.tar.gz: f2a6c4b200eb88f247c16a4d87b4807a083042050e862a58fb7392bfbb25428f7a710ba3c1d1bf67fff0c02f1a1ff2e9fc443107f4f2a987e7147d4b5a965ab1

data/.travis.yml CHANGED Viewed

@@ -7,8 +7,6 @@ before_install:
   - gem update bundler
 language: ruby
 rvm:
-  - 2.0
-  - 2.1
   - 2.2
   - 2.3
   - 2.4

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 ## Unreleased
+## 0.19.0
+- Drop 2.0 and 2.1 from support Ruby versions
+- Rename `Sanitize` as `FinalSanitizer`
+- Add `:strict` context for stricter sanitization
 ## 0.18.0
 - Extract heading decoration logic from Greenmat renderer to `Toc` filter

data/lib/qiita/markdown.rb CHANGED Viewed

@@ -11,16 +11,17 @@ require "qiita/markdown/filters/checkbox"
 require "qiita/markdown/filters/code"
 require "qiita/markdown/filters/emoji"
 require "qiita/markdown/filters/external_link"
+require "qiita/markdown/filters/final_sanitizer"
 require "qiita/markdown/filters/footnote"
 require "qiita/markdown/filters/greenmat"
 require "qiita/markdown/filters/group_mention"
 require "qiita/markdown/filters/image_link"
 require "qiita/markdown/filters/mention"
-require "qiita/markdown/filters/sanitize"
 require "qiita/markdown/filters/simplify"
 require "qiita/markdown/filters/syntax_highlight"
 require "qiita/markdown/filters/toc"
 require "qiita/markdown/filters/truncate"
+require "qiita/markdown/filters/user_input_sanitizer"
 require "qiita/markdown/greenmat/heading_rendering"
 require "qiita/markdown/greenmat/html_renderer"
 require "qiita/markdown/greenmat/html_toc_renderer"

data/lib/qiita/markdown/filters/{sanitize.rb → final_sanitizer.rb} RENAMED Viewed

@@ -3,7 +3,13 @@ module Qiita
     module Filters
       # Sanitizes undesirable elements by whitelist-based rule.
       # You can pass optional :rule and :script context.
-      class Sanitize < HTML::Pipeline::Filter
+      #
+      # Since this filter is applied at the end of html-pipeline, it's rules
+      # are intentionally weakened to allow elements and attributes which are
+      # generated by other filters.
+      #
+      # @see Qiita::Markdown::Filters::UserInputSanitizerr
+      class FinalSanitizer < HTML::Pipeline::Filter
         # Wraps a node env to transform invalid node.
         class TransformableNode
           def self.call(*args)

data/lib/qiita/markdown/filters/simplify.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Qiita
       # A filter for simplifying document structure by removing complex markups
       # (mainly block elements) and complex contents.
       #
-      # The logic of this filter is similar to the `Sanitize` filter, but this
+      # The logic of this filter is similar to the `FinalSanitizer` filter, but this
       # does not use the `sanitize` gem internally for the following reasons:
       #
       # * Each filter should do only its own responsibility, and this filter is
@@ -12,7 +12,7 @@ module Qiita
       #
       # * The `sanitize` gem automatically adds extra transformers even if we
       #   want to clean up only some elements, and they would be run in the
-      #   `Sanitize` filter later.
+      #   `FinalSanitizer` filter later.
       #   https://github.com/rgrove/sanitize/blob/v3.1.2/lib/sanitize.rb#L77-L100
       class Simplify < HTML::Pipeline::Filter
         SIMPLE_ELEMENTS = %w[a b code em i ins q s samp span strike strong sub sup var]

data/lib/qiita/markdown/filters/user_input_sanitizer.rb ADDED Viewed

@@ -0,0 +1,102 @@
+module Qiita
+  module Markdown
+    module Filters
+      # Sanitizes user input if :strict context is given.
+      class UserInputSanitizer < HTML::Pipeline::Filter
+        class AttributeFilter
+          FILTERS = {
+            "a" => {
+              "class" => %w[autolink],
+              "rel" => %w[footnote url],
+              "rev" => %w[footnote],
+            },
+            "sup" => {
+              "id" => /\Afnref\d+\z/,
+            },
+            "li" => {
+              "id" => /\Afn\d+\z/,
+            },
+          }.freeze
+          DELIMITER = " ".freeze
+          def self.call(*args)
+            new(*args).transform
+          end
+          def initialize(env)
+            @env = env
+          end
+          def transform
+            return unless FILTERS.key?(name)
+            FILTERS[name].each_pair do |attr, pattern|
+              filter_attribute(attr, pattern) if node.attributes.key?(attr)
+            end
+          end
+          private
+          def filter_attribute(attr, pattern)
+            node[attr] = node[attr].split(DELIMITER).select do |value|
+              pattern.is_a?(Array) ? pattern.include?(value) : (pattern =~ value)
+            end.join(DELIMITER)
+          end
+          def name
+            @env[:node_name]
+          end
+          def node
+            @env[:node]
+          end
+        end
+        RULE = {
+          elements: %w[
+            a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
+            hr i img input ins kbd li ol p pre q rp rt ruby s samp strike strong sub
+            summary sup table tbody td tfoot th thead tr ul var
+          ],
+          attributes: {
+            "a"          => %w[class href rel title],
+            "blockquote" => %w[cite],
+            "code"       => %w[data-metadata],
+            "div"        => %w[class],
+            "font"       => %w[color],
+            "h1"         => %w[id],
+            "h2"         => %w[id],
+            "h3"         => %w[id],
+            "h4"         => %w[id],
+            "h5"         => %w[id],
+            "h6"         => %w[id],
+            "img"        => %w[alt height src title width],
+            "ins"        => %w[cite datetime],
+            "li"         => %w[id],
+            "q"          => %w[cite],
+            "sup"        => %w[id],
+            "td"         => %w[colspan rowspan style],
+            "th"         => %w[colspan rowspan style],
+          },
+          protocols: {
+            "a"          => { "href" => ["http", "https", "mailto", :relative] },
+            "blockquote" => { "cite" => ["http", "https", :relative] },
+            "q"          => { "cite" => ["http", "https", :relative] },
+          },
+          css: {
+            properties: %w[text-align],
+          },
+          remove_contents: %w[
+            script
+          ],
+          transformers: AttributeFilter,
+        }.freeze
+        def call
+          ::Sanitize.clean_node!(doc, RULE) if context[:strict]
+          doc
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/processor.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Qiita
       def self.default_filters
         [
           Filters::Greenmat,
+          Filters::UserInputSanitizer,
           Filters::ImageLink,
           Filters::Footnote,
           Filters::Code,
@@ -20,7 +21,7 @@ module Qiita
           Filters::Mention,
           Filters::GroupMention,
           Filters::ExternalLink,
-          Filters::Sanitize,
+          Filters::FinalSanitizer,
         ]
       end
     end

data/lib/qiita/markdown/summary_processor.rb CHANGED Viewed

@@ -16,11 +16,12 @@ module Qiita
       def self.default_filters
         [
           Filters::Greenmat,
+          Filters::UserInputSanitizer,
           Filters::Simplify,
           Filters::Emoji,
           Filters::Mention,
           Filters::ExternalLink,
-          Filters::Sanitize,
+          Filters::FinalSanitizer,
           Filters::Truncate,
         ]
       end

data/lib/qiita/markdown/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.18.0"
+    VERSION = "0.19.0"
   end
 end

data/qiita-markdown.gemspec CHANGED Viewed

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
-  spec.required_ruby_version = ">= 2.0.0"
+  spec.required_ruby_version = ">= 2.2.0"
   spec.add_dependency "gemoji"
   spec.add_dependency "github-linguist", "~> 4.0"

data/spec/qiita/markdown/processor_spec.rb CHANGED Viewed

@@ -18,1025 +18,1164 @@ describe Qiita::Markdown::Processor do
       described_class.new(context).call(markdown)
     end
-    context "with valid condition" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          example
-        EOS
-      end
+    shared_examples_for "basic markdown syntax" do
+      context "with valid condition" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            example
+          EOS
+        end
-      it "returns a Hash with HTML output and other metadata" do
-        expect(result[:codes]).to be_an Array
-        expect(result[:mentioned_usernames]).to be_an Array
-        expect(result[:output]).to be_a Nokogiri::HTML::DocumentFragment
+        it "returns a Hash with HTML output and other metadata" do
+          expect(result[:codes]).to be_an Array
+          expect(result[:mentioned_usernames]).to be_an Array
+          expect(result[:output]).to be_a Nokogiri::HTML::DocumentFragment
+        end
       end
-    end
-    context "with HTML-characters" do
-      let(:markdown) do
-        "<>&"
-      end
+      context "with HTML-characters" do
+        let(:markdown) do
+          "<>&"
+        end
-      it "sanitizes them" do
-        should eq <<-EOS.strip_heredoc
-          <p>&lt;&gt;&amp;</p>
-        EOS
+        it "sanitizes them" do
+          should eq <<-EOS.strip_heredoc
+            <p>&lt;&gt;&amp;</p>
+          EOS
+        end
       end
-    end
-    context "with email address" do
-      let(:markdown) do
-        "test@example.com"
-      end
+      context "with email address" do
+        let(:markdown) do
+          "test@example.com"
+        end
-      it "replaces with mailto link" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="mailto:test@example.com" class="autolink">test@example.com</a></p>
-        EOS
+        it "replaces with mailto link" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="mailto:test@example.com" class="autolink">test@example.com</a></p>
+          EOS
+        end
       end
-    end
-    context "with headings" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          # a
-          ## a
-          ### a
-          ### a
-        EOS
-      end
+      context "with headings" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            # a
+            ## a
+            ### a
+            ### a
+          EOS
+        end
-      it "adds ID for ToC" do
-        should eq <<-EOS.strip_heredoc
+        it "adds ID for ToC" do
+          should eq <<-EOS.strip_heredoc
-          <h1>
-          <span id="a" class="fragment"></span><a href="#a"><i class="fa fa-link"></i></a>a</h1>
+            <h1>
+            <span id="a" class="fragment"></span><a href="#a"><i class="fa fa-link"></i></a>a</h1>
-          <h2>
-          <span id="a-1" class="fragment"></span><a href="#a-1"><i class="fa fa-link"></i></a>a</h2>
+            <h2>
+            <span id="a-1" class="fragment"></span><a href="#a-1"><i class="fa fa-link"></i></a>a</h2>
-          <h3>
-          <span id="a-2" class="fragment"></span><a href="#a-2"><i class="fa fa-link"></i></a>a</h3>
+            <h3>
+            <span id="a-2" class="fragment"></span><a href="#a-2"><i class="fa fa-link"></i></a>a</h3>
-          <h3>
-          <span id="a-3" class="fragment"></span><a href="#a-3"><i class="fa fa-link"></i></a>a</h3>
-        EOS
+            <h3>
+            <span id="a-3" class="fragment"></span><a href="#a-3"><i class="fa fa-link"></i></a>a</h3>
+          EOS
+        end
       end
-    end
-    context "with heading whose title includes special HTML characters" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          # <b>R&amp;B</b>
-        EOS
-      end
+      context "with heading whose title includes special HTML characters" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            # <b>R&amp;B</b>
+          EOS
+        end
-      it "generates fragment identifier by sanitizing the special characters in the title" do
-        should eq <<-EOS.strip_heredoc
+        it "generates fragment identifier by sanitizing the special characters in the title" do
+          should eq <<-EOS.strip_heredoc
-          <h1>
-          <span id="rb" class="fragment"></span><a href="#rb"><i class="fa fa-link"></i></a><b>R&amp;B</b>
-          </h1>
-        EOS
+            <h1>
+            <span id="rb" class="fragment"></span><a href="#rb"><i class="fa fa-link"></i></a><b>R&amp;B</b>
+            </h1>
+          EOS
+        end
       end
-    end
-    context "with manually inputted heading HTML tags without id attribute" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <h1>foo</h1>
-        EOS
-      end
+      context "with manually inputted heading HTML tags without id attribute" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <h1>foo</h1>
+          EOS
+        end
-      it "does nothing" do
-        should eq <<-EOS.strip_heredoc
-          <h1>foo</h1>
-        EOS
+        it "does nothing" do
+          should eq <<-EOS.strip_heredoc
+            <h1>foo</h1>
+          EOS
+        end
       end
-    end
-    context "with code" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```foo.rb
-          puts 'hello world'
-          ```
-        EOS
-      end
+      context "with code" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```foo.rb
+            puts 'hello world'
+            ```
+          EOS
+        end
-      it "returns detected codes" do
-        expect(result[:codes]).to eq [
-          {
-            code: "puts 'hello world'\n",
-            filename: "foo.rb",
-            language: "ruby",
-          },
-        ]
+        it "returns detected codes" do
+          expect(result[:codes]).to eq [
+            {
+              code: "puts 'hello world'\n",
+              filename: "foo.rb",
+              language: "ruby",
+            },
+          ]
+        end
       end
-    end
-    context "with code & filename" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```example.rb
-          1
-          ```
-        EOS
-      end
+      context "with code & filename" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```example.rb
+            1
+            ```
+          EOS
+        end
-      it "returns code-frame, code-lang, and highlighted pre element" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="ruby">
-          <div class="code-lang"><span class="bold">example.rb</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
+        it "returns code-frame, code-lang, and highlighted pre element" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="ruby">
+            <div class="code-lang"><span class="bold">example.rb</span></div>
+            <div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div>
+            </div>
+          EOS
+        end
       end
-    end
-    context "with code & filename with .php" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```example.php
-          1
-          ```
-        EOS
-      end
+      context "with code & filename with .php" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```example.php
+            1
+            ```
+          EOS
+        end
-      it "returns PHP code-frame" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="php">
-          <div class="code-lang"><span class="bold">example.php</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
+        it "returns PHP code-frame" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="php">
+            <div class="code-lang"><span class="bold">example.php</span></div>
+            <div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div>
+            </div>
+          EOS
+        end
       end
-    end
-    context "with malicious script in filename" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```js:test<script>alert(1)</script>
-          1
-          ```
-        EOS
-      end
+      context "with code & no filename" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```ruby
+            1
+            ```
+          EOS
+        end
-      it "sanitizes script element" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="js">
-          <div class="code-lang"><span class="bold">test</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
+        it "returns code-frame and highlighted pre element" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="ruby"><div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div></div>
+          EOS
+        end
       end
-    end
-    context "with code & no filename" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```ruby
-          1
-          ```
-        EOS
-      end
+      context "with undefined but aliased language" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```zsh
+            true
+            ```
+          EOS
+        end
-      it "returns code-frame and highlighted pre element" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="ruby"><div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div></div>
-        EOS
+        it "returns aliased language name" do
+          expect(result[:codes]).to eq [
+            {
+              code: "true\n",
+              filename: nil,
+              language: "bash",
+            },
+          ]
+        end
       end
-    end
-    context "with undefined but aliased language" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```zsh
-          true
-          ```
-        EOS
-      end
+      context "with code with leading and trailing newlines" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```
-      it "returns aliased language name" do
-        expect(result[:codes]).to eq [
-          {
-            code: "true\n",
-            filename: nil,
-            language: "bash",
-          },
-        ]
-      end
-    end
+            foo
-    context "with code with leading and trailing newlines" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```
+            ```
+          EOS
+        end
-          foo
+        it "does not strip the newlines" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>
+            foo
-          ```
-        EOS
+            </pre></div></div>
+           EOS
+        end
       end
-      it "does not strip the newlines" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>
-          foo
+      context "with mention" do
+        let(:markdown) do
+          "@alice"
+        end
-          </pre></div></div>
-         EOS
+        it "replaces mention with link" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/alice" class="user-mention js-hovercard" title="alice" data-hovercard-target-type="user" data-hovercard-target-name="alice">@alice</a>
+          EOS
+        end
       end
-    end
-    context "with script element" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <script>alert(1)</script>
-        EOS
-      end
+      context "with mention to short name user" do
+        let(:markdown) do
+          "@al"
+        end
-      it "removes script element" do
-        should eq "\n"
+        it "replaces mention with link" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/al" class="user-mention js-hovercard" title="al" data-hovercard-target-type="user" data-hovercard-target-name="al">@al</a>
+          EOS
+        end
       end
-    end
-    context "with script context" do
-      before do
-        context[:script] = true
-      end
+      context "with mentions in complex patterns" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            @alice
+            ```
+              @bob
+            ```
+            @charlie/@dave
+            @ell_en
+            @fran-k
+            @Isaac
+            @justin
+            @justin
+            @mallory@github
+            @#{'o' * 33}
+            @o
+            @o-
+            @-o
+            @o_
+            @_o
+          EOS
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <p><script>alert(1)</script></p>
-        EOS
+        it "extracts mentions correctly" do
+          expect(result[:mentioned_usernames]).to eq %w[
+            alice
+            dave
+            ell_en
+            fran-k
+            Isaac
+            justin
+            mallory@github
+            o_
+            _o
+          ]
+        end
       end
-      it "allows script element" do
-        should eq markdown
-      end
-    end
+      context "with mention-like filename on code block" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```ruby:@alice
+            1
+            ```
+          EOS
+        end
-    context "with allowed attributes" do
-      before do
-        context[:script] = true
+        it "does not treat it as mention" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <div class="code-frame" data-lang="ruby">
+            <div class="code-lang"><span class="bold">@alice</span></div>
+            <div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div>
+            </div>
+          EOS
+        end
       end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <p><script async data-a="b" type="text/javascript">alert(1)</script></p>
-        EOS
-      end
+      context "with mention in blockquote" do
+        let(:markdown) do
+          "> @alice"
+        end
-      it "allows data-attributes" do
-        should eq markdown
+        it "does not replace mention with link" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <blockquote>
+            <p>@alice</p>
+            </blockquote>
+          EOS
+        end
       end
-    end
-    context "with iframe" do
-      before do
-        context[:script] = true
-      end
+      context "with mention to user whose name starts and ends with underscore" do
+        let(:markdown) do
+          "@_alice_"
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <iframe width="1" height="2" src="//example.com" frameborder="0" allowfullscreen></iframe>
-        EOS
+        it "does not emphasize the name" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/_alice_" class="user-mention js-hovercard" title="_alice_" data-hovercard-target-type="user" data-hovercard-target-name="_alice_">@_alice_</a>
+          EOS
+        end
       end
-      it "allows iframe with some attributes" do
-        should eq markdown
-      end
-    end
+      context "with allowed_usernames context" do
+        before do
+          context[:allowed_usernames] = ["alice"]
+        end
-    context "with mention" do
-      let(:markdown) do
-        "@alice"
-      end
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            @alice
+            @bob
+          EOS
+        end
-      it "replaces mention with link" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/alice" class="user-mention js-hovercard" title="alice" data-hovercard-target-type="user" data-hovercard-target-name="alice">@alice</a>
-        EOS
+        it "limits mentions to allowed usernames" do
+          expect(result[:mentioned_usernames]).to eq ["alice"]
+        end
       end
-    end
-    context "with mention to short name user" do
-      let(:markdown) do
-        "@al"
-      end
+      context "with @all and allowed_usernames context" do
+        before do
+          context[:allowed_usernames] = ["alice", "bob"]
+        end
+        let(:markdown) do
+          "@all"
+        end
-      it "replaces mention with link" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/al" class="user-mention js-hovercard" title="al" data-hovercard-target-type="user" data-hovercard-target-name="al">@al</a>
-        EOS
+        it "links it and reports all allowed users as mentioned user names" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/" class="user-mention" title="all">@all</a>
+          EOS
+          expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
+        end
       end
-    end
-    context "with mentions in complex patterns" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          @alice
+      context "with @all and @alice" do
+        before do
+          context[:allowed_usernames] = ["alice", "bob"]
+        end
-          ```
-            @bob
-          ```
-          @charlie/@dave
-          @ell_en
-          @fran-k
-          @Isaac
-          @justin
-          @justin
-          @mallory@github
-          @#{'o' * 33}
-          @o
-          @o-
-          @-o
-          @o_
-          @_o
-        EOS
-      end
-      it "extracts mentions correctly" do
-        expect(result[:mentioned_usernames]).to eq %w[
-          alice
-          dave
-          ell_en
-          fran-k
-          Isaac
-          justin
-          mallory@github
-          o_
-          _o
-        ]
-      end
-    end
+        let(:markdown) do
+          "@all @alice"
+        end
-    context "with mention-like filename on code block" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```ruby:@alice
-          1
-          ```
-        EOS
+        it "does not duplicate mentioned user names" do
+          expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
+        end
       end
-      it "does not treat it as mention" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <div class="code-frame" data-lang="ruby">
-          <div class="code-lang"><span class="bold">@alice</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
-      end
-    end
+      context "with @all and no allowed_usernames context" do
+        let(:markdown) do
+          "@all"
+        end
-    context "with mention in blockquote" do
-      let(:markdown) do
-        "> @alice"
+        it "does not repond to @all" do
+          should eq "<p>@all</p>\n"
+          expect(result[:mentioned_usernames]).to eq []
+        end
       end
-      it "does not replace mention with link" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <blockquote>
-          <p>@alice</p>
-          </blockquote>
-        EOS
-      end
-    end
+      context "with group mention without group_memberion_url_generator" do
+        let(:markdown) do
+          "@alice/bob"
+        end
-    context "with mention to user whose name starts and ends with underscore" do
-      let(:markdown) do
-        "@_alice_"
+        it "does not replace it" do
+          is_expected.to eq <<-EOS.strip_heredoc
+            <p>@alice/bob</p>
+          EOS
+        end
       end
-      it "does not emphasize the name" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/_alice_" class="user-mention js-hovercard" title="_alice_" data-hovercard-target-type="user" data-hovercard-target-name="_alice_">@_alice_</a>
-        EOS
-      end
-    end
+      context "with group mention" do
+        let(:context) do
+          super().merge(group_mention_url_generator: lambda do |group|
+            "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
+          end)
+        end
-    context "with allowed_usernames context" do
-      before do
-        context[:allowed_usernames] = ["alice"]
-      end
+        let(:markdown) do
+          "@alice/bob"
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          @alice
-          @bob
-        EOS
+        it "replaces it with preferred link and updates :mentioned_groups" do
+          is_expected.to eq <<-EOS.strip_heredoc
+            <p><a href="https://alice.example.com/groups/bob" rel="nofollow noopener" target="_blank">@alice/bob</a></p>
+          EOS
+          expect(result[:mentioned_groups]).to eq [{
+            group_url_name: "bob",
+            team_url_name: "alice",
+          }]
+        end
       end
-      it "limits mentions to allowed usernames" do
-        expect(result[:mentioned_usernames]).to eq ["alice"]
-      end
-    end
+      context "with group mention following another text" do
+        let(:context) do
+          super().merge(group_mention_url_generator: lambda do |group|
+            "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
+          end)
+        end
-    context "with @all and allowed_usernames context" do
-      before do
-        context[:allowed_usernames] = ["alice", "bob"]
-      end
+        let(:markdown) do
+          "FYI @alice/bob"
+        end
-      let(:markdown) do
-        "@all"
+        it "preserves space after preceding text" do
+          is_expected.to start_with("<p>FYI <a ")
+        end
       end
-      it "links it and reports all allowed users as mentioned user names" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/" class="user-mention" title="all">@all</a>
-        EOS
-        expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
-      end
-    end
+      context "with normal link" do
+        let(:markdown) do
+          "[](/example)"
+        end
-    context "with @all and @alice" do
-      before do
-        context[:allowed_usernames] = ["alice", "bob"]
+        it "creates link for that" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="/example"></a></p>
+          EOS
+        end
       end
-      let(:markdown) do
-        "@all @alice"
-      end
+      context "with anchor link" do
+        let(:markdown) do
+          "[](#example)"
+        end
-      it "does not duplicate mentioned user names" do
-        expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
+        it "creates link for that" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="#example"></a></p>
+          EOS
+        end
       end
-    end
-    context "with @all and no allowed_usernames context" do
-      let(:markdown) do
-        "@all"
-      end
+      context "with link with title" do
+        let(:markdown) do
+          '[](/example "Title")'
+        end
-      it "does not repond to @all" do
-        should eq "<p>@all</p>\n"
-        expect(result[:mentioned_usernames]).to eq []
+        it "creates link for that with the title" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="/example" title="Title"></a></p>
+          EOS
+        end
       end
-    end
-    context "with group mention without group_memberion_url_generator" do
-      let(:markdown) do
-        "@alice/bob"
-      end
+      context "with raw URL" do
+        let(:markdown) do
+          "http://example.com/search?q=日本語"
+        end
-      it "does not replace it" do
-        is_expected.to eq <<-EOS.strip_heredoc
-          <p>@alice/bob</p>
-        EOS
+        it "creates link for that with .autolink class" do
+          should eq(
+            '<p><a href="http://example.com/search?q=%E6%97%A5%E6%9C%AC%E8%AA%9E" class="autolink">' \
+            "http://example.com/search?q=日本語</a></p>\n"
+          )
+        end
       end
-    end
-    context "with group mention" do
-      let(:context) do
-        super().merge(group_mention_url_generator: lambda do |group|
-          "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
-        end)
-      end
+      context "with javascript: link" do
+        let(:markdown) do
+          "[](javascript:alert(1))"
+        end
-      let(:markdown) do
-        "@alice/bob"
+        it "removes that link by creating empty a element" do
+          should eq <<-EOS.strip_heredoc
+            <p><a></a></p>
+          EOS
+        end
       end
-      it "replaces it with preferred link and updates :mentioned_groups" do
-        is_expected.to eq <<-EOS.strip_heredoc
-          <p><a href="https://alice.example.com/groups/bob" rel="nofollow noopener" target="_blank">@alice/bob</a></p>
-        EOS
-        expect(result[:mentioned_groups]).to eq [{
-          group_url_name: "bob",
-          team_url_name: "alice",
-        }]
-      end
-    end
+      context "with emoji" do
+        let(:markdown) do
+          ":+1:"
+        end
-    context "with group mention following another text" do
-      let(:context) do
-        super().merge(group_mention_url_generator: lambda do |group|
-          "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
-        end)
+        it "replaces it with img element" do
+          should include("img")
+        end
       end
-      let(:markdown) do
-        "FYI @alice/bob"
-      end
+      context "with emoji in pre or code element" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```
+            :+1:
+            ```
+          EOS
+        end
-      it "preserves space after preceding text" do
-        is_expected.to start_with("<p>FYI <a ")
+        it "does not replace it" do
+          should_not include("img")
+        end
       end
-    end
-    context "with normal link" do
-      let(:markdown) do
-        "[](/example)"
-      end
+      context "with image notation" do
+        let(:markdown) do
+          "![a](http://example.com/b.png)"
+        end
-      it "creates link for that" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="/example"></a></p>
-        EOS
+        it "wraps it in a element" do
+          should eq %(<p><a href="http://example.com/b.png" target="_blank">) +
+                    %(<img src="http://example.com/b.png" alt="a"></a></p>\n)
+        end
       end
-    end
-    context "with anchor link" do
-      let(:markdown) do
-        "[](#example)"
-      end
+      context "with image notation with title" do
+        let(:markdown) do
+          '![a](http://example.com/b.png "Title")'
+        end
-      it "creates link for that" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="#example"></a></p>
-        EOS
+        it "generates <img> tag with the title" do
+          should eq %(<p><a href="http://example.com/b.png" target="_blank">) +
+                    %(<img src="http://example.com/b.png" alt="a" title="Title"></a></p>\n)
+        end
       end
-    end
-    context "with raw URL" do
-      let(:markdown) do
-        "http://example.com/search?q=日本語"
-      end
+      context "with <img> tag with width and height attribute (for Retina image)" do
+        let(:markdown) do
+          '<img width="80" height="48" alt="a" src="http://example.com/b.png">'
+        end
-      it "creates link for that with .autolink class" do
-        should eq(
-          '<p><a href="http://example.com/search?q=%E6%97%A5%E6%9C%AC%E8%AA%9E" class="autolink">' \
-          "http://example.com/search?q=日本語</a></p>\n"
-        )
+        it "wraps it in a element while keeping the width attribute" do
+          should eq %(<p><a href="http://example.com/b.png" target="_blank">) +
+                    %(<img width="80" height="48" alt="a" src="http://example.com/b.png"></a></p>\n)
+        end
       end
-    end
-    context "with javascript: link" do
-      let(:markdown) do
-        "[](javascript:alert(1))"
-      end
+      context "with colon-only label" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```:
+            1
+            ```
+          EOS
+        end
-      it "removes that link by creating empty a element" do
-        should eq <<-EOS.strip_heredoc
-          <p><a></a></p>
-        EOS
+        it "does not replace it" do
+          expect(result[:codes]).to eq [
+            {
+              code: "1\n",
+              filename: nil,
+              language: nil,
+            },
+          ]
+        end
       end
-    end
-    context "with emoji" do
-      let(:markdown) do
-        ":+1:"
-      end
+      context "with font element with color attribute" do
+        let(:markdown) do
+          %[<font color="red">test</font>]
+        end
-      it "replaces it with img element" do
-        should include("img")
+        it "allows font element with color attribute" do
+          should eq <<-EOS.strip_heredoc
+            <p>#{markdown}</p>
+          EOS
+        end
       end
-    end
-    context "with emoji in pre or code element" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```
-          :+1:
-          ```
-        EOS
-      end
+      context "with task list" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            - [ ] a
+            - [x] b
+          EOS
+        end
-      it "does not replace it" do
-        should_not include("img")
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" disabled>a</li>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" checked disabled>b</li>
+            </ul>
+          EOS
+        end
       end
-    end
-    context "with image notation" do
-      let(:markdown) do
-        "![a](http://example.com/b.png)"
-      end
+      context "with nested task list" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            - [ ] a
+             - [ ] b
+          EOS
+        end
-      it "wraps it in a element" do
-        should eq '<p><a href="http://example.com/b.png" target="_blank">' +
-                  %(<img src="http://example.com/b.png" alt="a"></a></p>\n)
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" disabled>a
+            <ul>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" disabled>b</li>
+            </ul>
+            </li>
+            </ul>
+          EOS
+        end
       end
-    end
-    context "with colon-only label" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```:
-          1
-          ```
-        EOS
-      end
+      context "with task list in code block" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```
+            - [ ] a
+            - [x] b
+            ```
+          EOS
+        end
-      it "does not replace it" do
-        expect(result[:codes]).to eq [
-          {
-            code: "1\n",
-            filename: nil,
-            language: nil,
-          },
-        ]
+        it "does not replace checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>- [ ] a
+            - [x] b
+            </pre></div></div>
+          EOS
+        end
       end
-    end
-    context "with font element with color attribute" do
-      let(:markdown) do
-        %[<font color="red">test</font>]
-      end
+      context "with empty line between task list" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            - [ ] a
-      it "allows font element with color attribute" do
-        should eq <<-EOS.strip_heredoc
-          <p>#{markdown}</p>
-        EOS
-      end
-    end
+            - [x] b
+          EOS
+        end
-    context "with task list" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          - [ ] a
-          - [x] b
-        EOS
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" disabled>a</p></li>
+            <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" checked disabled>b</p></li>
+            </ul>
+          EOS
+        end
       end
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" disabled>a</li>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" checked disabled>b</li>
-          </ul>
-        EOS
-      end
-    end
+      context "with empty list" do
+        let(:markdown) do
+          "- \n"
+        end
-    context "with nested task list" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          - [ ] a
-           - [ ] b
-        EOS
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li>
+            </ul>
+          EOS
+        end
       end
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" disabled>a
+      context "with text-aligned table" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            | a  | b  | c   |
+            |:---|---:|:---:|
+            | a  | b  | c   |
+          EOS
+        end
-          <ul>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" disabled>b</li>
-          </ul>
-          </li>
-          </ul>
-        EOS
+        it "creates table element with text-align style" do
+          should eq <<-EOS.strip_heredoc
+            <table>
+            <thead>
+            <tr>
+            <th style="text-align: left">a</th>
+            <th style="text-align: right">b</th>
+            <th style="text-align: center">c</th>
+            </tr>
+            </thead>
+            <tbody>
+            <tr>
+            <td style="text-align: left">a</td>
+            <td style="text-align: right">b</td>
+            <td style="text-align: center">c</td>
+            </tr>
+            </tbody>
+            </table>
+          EOS
+        end
       end
-    end
-    context "with task list in code block" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```
-          - [ ] a
-          - [x] b
-          ```
-        EOS
-      end
+      context "with footenotes syntax" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            [^1]
+            [^1]: test
+          EOS
+        end
-      it "does not replace checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>- [ ] a
-          - [x] b
-          </pre></div></div>
-        EOS
-      end
-    end
+        it "generates footnotes elements" do
+          should eq <<-EOS.strip_heredoc
+            <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
-    context "with empty line between task list" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          - [ ] a
+            <div class="footnotes">
+            <hr>
+            <ol>
-          - [x] b
-        EOS
-      end
+            <li id="fn1">
+            <p>test <a href="#fnref1">↩</a></p>
+            </li>
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" disabled>a</p></li>
-          <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" checked disabled>b</p></li>
-          </ul>
-        EOS
+            </ol>
+            </div>
+          EOS
+        end
       end
-    end
-    context "with empty list" do
-      let(:markdown) do
-        "- \n"
-      end
+      context "with manually written link inside of <sup> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <sup>[Example](http://example.com/)</sup>
+          EOS
+        end
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li>
-          </ul>
-        EOS
+        it "does not confuse the structure with automatically generated footnote reference" do
+          should eq <<-EOS.strip_heredoc
+            <p><sup><a href="http://example.com/">Example</a></sup></p>
+          EOS
+        end
       end
-    end
-    context "with text-aligned table" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          | a  | b  | c   |
-          |:---|---:|:---:|
-          | a  | b  | c   |
-        EOS
-      end
-      it "creates table element with text-align style" do
-        should eq <<-EOS.strip_heredoc
-          <table>
-          <thead>
-          <tr>
-          <th style="text-align: left">a</th>
-          <th style="text-align: right">b</th>
-          <th style="text-align: center">c</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-          <td style="text-align: left">a</td>
-          <td style="text-align: right">b</td>
-          <td style="text-align: center">c</td>
-          </tr>
-          </tbody>
-          </table>
-        EOS
+      context "with manually written <a> tag with strange href inside of <sup> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <sup><a href="#foo.1">Link</a></sup>
+          EOS
+        end
+        it "does not confuse the structure with automatically generated footnote reference" do
+          should eq <<-EOS.strip_heredoc
+            <p><sup><a href="#foo.1">Link</a></sup></p>
+          EOS
+        end
       end
-    end
-    context "with footenotes syntax" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          [^1]
-          [^1]: test
-        EOS
+      context "with markdown: { footnotes: false } context" do
+        before do
+          context[:markdown] = { footnotes: false }
+        end
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            [^1]
+            [^1]: test
+          EOS
+        end
+        it "does not generate footnote elements" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="test">^1</a></p>
+          EOS
+        end
       end
-      it "generates footnotes elements" do
-        should eq <<-EOS.strip_heredoc
-          <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
+      context "with emoji_names and emoji_url_generator context" do
+        before do
+          context[:emoji_names] = %w(foo o)
-          <div class="footnotes">
-          <hr>
-          <ol>
+          context[:emoji_url_generator] = proc do |emoji_name|
+            "https://example.com/foo.png" if emoji_name == "foo"
+          end
+        end
-          <li id="fn1">
-          <p>test <a href="#fnref1">↩</a></p>
-          </li>
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            :foo: :o: :x:
+          EOS
+        end
-          </ol>
-          </div>
-        EOS
-      end
-    end
+        it "replaces only the specified emoji names with img elements with custom URL" do
+          should include(
+            '<img class="emoji" title=":foo:" alt=":foo:" src="https://example.com/foo.png"',
+            '<img class="emoji" title=":o:" alt=":o:" src="/images/emoji/unicode/2b55.png"'
+          )
-    context "with manually written link inside of <sup> tag" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <sup>[Example](http://example.com/)</sup>
-        EOS
+          should_not include(
+            '<img class="emoji" title=":x:" alt=":x:"'
+          )
+        end
       end
-      it "does not confuse the structure with automatically generated footnote reference" do
-        should eq <<-EOS.strip_heredoc
-          <p><sup><a href="http://example.com/">Example</a></sup></p>
-        EOS
-      end
-    end
+      context "with internal URL" do
+        let(:markdown) do
+          "http://qiita.com/?a=b"
+        end
-    context "with manually written <a> tag with strange href inside of <sup> tag" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <sup><a href="#foo.1">Link</a></sup>
-        EOS
-      end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-      it "does not confuse the structure with automatically generated footnote reference" do
-        should eq <<-EOS.strip_heredoc
-          <p><sup><a href="#foo.1">Link</a></sup></p>
-        EOS
+        it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://qiita.com/?a=b" class="autolink">' \
+            "http://qiita.com/?a=b</a></p>\n"
+          )
+        end
       end
-    end
-    context "with markdown: { footnotes: false } context" do
-      before do
-        context[:markdown] = { footnotes: false }
-      end
+      context "with external URL" do
+        let(:markdown) do
+          "http://external.com/?a=b"
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          [^1]
-          [^1]: test
-        EOS
-      end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-      it "does not generate footnote elements" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="test">^1</a></p>
-        EOS
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://external.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
+            "http://external.com/?a=b</a></p>\n"
+          )
+        end
       end
-    end
-    context "with data-attributes" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <div data-a="b"></div>
-        EOS
-      end
+      context "with internal anchor tag" do
+        let(:markdown) do
+          '<a href="http://qiita.com/?a=b">foobar</a>'
+        end
-      it "sanitizes data-attributes" do
-        should eq <<-EOS.strip_heredoc
-          <div></div>
-        EOS
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with data-attributes and :script option" do
-      before do
-        context[:script] = true
+        it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            "<p><a href=\"http://qiita.com/?a=b\">foobar</a></p>\n"
+          )
+        end
       end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <div data-a="b"></div>
-        EOS
-      end
+      context "with external anchor tag" do
+        let(:markdown) do
+          '<a href="http://external.com/?a=b">foobar</a>'
+        end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-      it "does not sanitize data-attributes" do
-        should eq <<-EOS.strip_heredoc
-          <div data-a="b"></div>
-        EOS
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
+          )
+        end
       end
-    end
-    context "with emoji_names and emoji_url_generator context" do
-      before do
-        context[:emoji_names] = %w(foo o)
+      context "with external URL which ends with the hostname parameter" do
+        let(:markdown) do
+          "http://qqqqqqiita.com/?a=b"
+        end
-        context[:emoji_url_generator] = proc do |emoji_name|
-          "https://example.com/foo.png" if emoji_name == "foo"
+        let(:context) do
+          { hostname: "qiita.com" }
         end
-      end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          :foo: :o: :x:
-        EOS
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://qqqqqqiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
+            "http://qqqqqqiita.com/?a=b</a></p>\n"
+          )
+        end
       end
-      it "replaces only the specified emoji names with img elements with custom URL" do
-        should include(
-          '<img class="emoji" title=":foo:" alt=":foo:" src="https://example.com/foo.png"',
-          '<img class="emoji" title=":o:" alt=":o:" src="/images/emoji/unicode/2b55.png"'
-        )
+      context "with external anchor tag which ends with the hostname parameter" do
+        let(:markdown) do
+          '<a href="http://qqqqqqiita.com/?a=b">foobar</a>'
+        end
-        should_not include(
-          '<img class="emoji" title=":x:" alt=":x:"'
-        )
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with internal URL" do
-      let(:markdown) do
-        "http://qiita.com/?a=b"
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            "<p><a href=\"http://qqqqqqiita.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
+          )
+        end
       end
-      let(:context) do
-        { hostname: "qiita.com" }
-      end
+      context "with sub-domain URL of hostname parameter" do
+        let(:markdown) do
+          "http://sub.qiita.com/?a=b"
+        end
-      it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://qiita.com/?a=b" class="autolink">' \
-          "http://qiita.com/?a=b</a></p>\n"
-        )
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with external URL" do
-      let(:markdown) do
-        "http://external.com/?a=b"
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://sub.qiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
+            "http://sub.qiita.com/?a=b</a></p>\n"
+          )
+        end
       end
-      let(:context) do
-        { hostname: "qiita.com" }
-      end
+      context "with external anchor tag which has rel attribute" do
+        let(:markdown) do
+          '<a href="http://external.com/?a=b" rel="url">foobar</a>'
+        end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://external.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
-          "http://external.com/?a=b</a></p>\n"
-        )
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with internal anchor tag" do
-      let(:markdown) do
-        '<a href="http://qiita.com/?a=b">foobar</a>'
+        it "creates link which has rel='nofollow noopener' and target='_blank', and rel value is overwritten" do
+          should eq(
+            "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
+          )
+        end
       end
-      let(:context) do
-        { hostname: "qiita.com" }
-      end
+      context "with blockquote syntax" do
+        let(:markdown) do
+          "> foo"
+        end
-      it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          "<p><a href=\"http://qiita.com/?a=b\">foobar</a></p>\n"
-        )
+        it "does not confuse it with HTML tag angle brackets" do
+          should eq "<blockquote>\n<p>foo</p>\n</blockquote>\n"
+        end
       end
     end
-    context "with external anchor tag" do
-      let(:markdown) do
-        '<a href="http://external.com/?a=b">foobar</a>'
-      end
+    shared_examples_for "script element" do |allowed:|
+      context "with script element" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <script>alert(1)</script>
+          EOS
+        end
-      let(:context) do
-        { hostname: "qiita.com" }
+        if allowed
+          it "allows script element" do
+            should eq markdown
+          end
+          context "and allowed attributes" do
+            let(:markdown) do
+              <<-EOS.strip_heredoc
+                <p><script async data-a="b" type="text/javascript">alert(1)</script></p>
+              EOS
+            end
+            it "allows data-attributes" do
+              should eq markdown
+            end
+          end
+        else
+          it "removes script element" do
+            should eq "\n"
+          end
+        end
       end
+    end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
-        )
+    shared_examples_for "malicious script in filename" do |allowed:|
+      context "with malicious script in filename" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```js:test<script>alert(1)</script>
+            1
+            ```
+          EOS
+        end
+        if allowed
+          it "does not sanitize script element" do
+            should eq <<-EOS.strip_heredoc
+              <div class="code-frame" data-lang="js">
+              <div class="code-lang"><span class="bold">test<script>alert(1)</script></span></div>
+              <div class="highlight"><pre><span></span><span class="mi">1</span>
+              </pre></div>
+              </div>
+            EOS
+          end
+        else
+          it "sanitizes script element" do
+            should eq <<-EOS.strip_heredoc
+              <div class="code-frame" data-lang="js">
+              <div class="code-lang"><span class="bold">test</span></div>
+              <div class="highlight"><pre><span></span><span class="mi">1</span>
+              </pre></div>
+              </div>
+            EOS
+          end
+        end
       end
     end
-    context "with external URL which ends with the hostname parameter" do
-      let(:markdown) do
-        "http://qqqqqqiita.com/?a=b"
-      end
+    shared_examples_for "iframe element" do |allowed:|
+      context "with iframe" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <iframe width="1" height="2" src="//example.com" frameborder="0" allowfullscreen></iframe>
+          EOS
+        end
-      let(:context) do
-        { hostname: "qiita.com" }
+        if allowed
+          it "allows iframe with some attributes" do
+            should eq markdown
+          end
+        else
+          it "sanitizes iframe element" do
+            should eq "\n"
+          end
+        end
       end
+    end
+    shared_examples_for "data-attributes" do |allowed:|
+      context "with data-attributes" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <div data-a="b"></div>
+          EOS
+        end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://qqqqqqiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
-          "http://qqqqqqiita.com/?a=b</a></p>\n"
-        )
+        if allowed
+          it "does not sanitize data-attributes" do
+            should eq <<-EOS.strip_heredoc
+              <div data-a="b"></div>
+            EOS
+          end
+        else
+          it "sanitizes data-attributes" do
+            should eq <<-EOS.strip_heredoc
+              <div></div>
+            EOS
+          end
+        end
       end
     end
-    context "with external anchor tag which ends with the hostname parameter" do
-      let(:markdown) do
-        '<a href="http://qqqqqqiita.com/?a=b">foobar</a>'
-      end
+    shared_examples_for "class attribute" do |allowed:|
+      context "with class attribute for general tags" do
+        let(:markdown) do
+          '<i class="fa fa-user"></i>user'
+        end
-      let(:context) do
-        { hostname: "qiita.com" }
+        if allowed
+          it "does not sanitize the attribute" do
+            should eq "<p><i class=\"fa fa-user\"></i>user</p>\n"
+          end
+        else
+          it "sanitizes the attribute" do
+            should eq "<p><i></i>user</p>\n"
+          end
+        end
       end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          "<p><a href=\"http://qqqqqqiita.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
-        )
+      context "with class attribute for <a> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <a href="foo" class="malicious-class">foo</a>
+            http://qiita.com/
+          EOS
+        end
+        if allowed
+          it "does not sanitize the classes" do
+            should eq <<-EOS.strip_heredoc
+              <p><a href="foo" class="malicious-class">foo</a><br>
+              <a href="http://qiita.com/" class="autolink" rel="nofollow noopener" target="_blank">http://qiita.com/</a></p>
+            EOS
+          end
+        else
+          it "sanitizes classes except `autolink`" do
+            should eq <<-EOS.strip_heredoc
+              <p><a href="foo" class="">foo</a><br>
+              <a href="http://qiita.com/" class="autolink" rel="nofollow noopener" target="_blank">http://qiita.com/</a></p>
+            EOS
+          end
+        end
       end
     end
-    context "with sub-domain URL of hostname parameter" do
-      let(:markdown) do
-        "http://sub.qiita.com/?a=b"
+    context "without script and strict context" do
+      let(:context) do
+        super().merge(script: false, strict: false)
       end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: false
+      include_examples "malicious script in filename", allowed: false
+      include_examples "iframe element", allowed: false
+      include_examples "data-attributes", allowed: false
+      include_examples "class attribute", allowed: true
+    end
+    context "with script context" do
       let(:context) do
-        { hostname: "qiita.com" }
+        super().merge(script: true, strict: false)
       end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://sub.qiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
-          "http://sub.qiita.com/?a=b</a></p>\n"
-        )
-      end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: true
+      include_examples "malicious script in filename", allowed: true
+      include_examples "iframe element", allowed: true
+      include_examples "data-attributes", allowed: true
+      include_examples "class attribute", allowed: true
     end
-    context "with external anchor tag which has rel attribute" do
-      let(:markdown) do
-        '<a href="http://external.com/?a=b" rel="url">foobar</a>'
+    context "with strict context" do
+      let(:context) do
+        super().merge(script: false, strict: true)
       end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: false
+      include_examples "malicious script in filename", allowed: false
+      include_examples "iframe element", allowed: false
+      include_examples "data-attributes", allowed: false
+      include_examples "class attribute", allowed: false
+    end
+    context "with script and strict context" do
       let(:context) do
-        { hostname: "qiita.com" }
+        super().merge(script: true, strict: true)
       end
-      it "creates link which has rel='nofollow noopener' and target='_blank', and rel value is overwritten" do
-        should eq(
-          "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
-        )
-      end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: false
+      include_examples "malicious script in filename", allowed: true
+      include_examples "iframe element", allowed: false
+      include_examples "data-attributes", allowed: false
+      include_examples "class attribute", allowed: false
     end
   end
 end