RubyGems - qiita-markdown - Versions diffs - 0.18.0 → 0.19.0 - Mend

qiita-markdown 0.18.0 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of qiita-markdown might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
data/.travis.yml +0 -2
data/CHANGELOG.md +6 -0
data/lib/qiita/markdown.rb +2 -1
data/lib/qiita/markdown/filters/{sanitize.rb → final_sanitizer.rb} +7 -1
data/lib/qiita/markdown/filters/simplify.rb +2 -2
data/lib/qiita/markdown/filters/user_input_sanitizer.rb +102 -0
data/lib/qiita/markdown/processor.rb +2 -1
data/lib/qiita/markdown/summary_processor.rb +2 -1
data/lib/qiita/markdown/version.rb +1 -1
data/qiita-markdown.gemspec +1 -1
data/spec/qiita/markdown/processor_spec.rb +931 -792
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 142f1f300d42442f62e84b3ffe54321caa229b2b
-  data.tar.gz: 8029e1417074df1acc82af5cfd075efebe87c959
+  metadata.gz: 83c8da2e7dd55be72fce627ec6b14cb23362346e
+  data.tar.gz: 5752e8dae6fbbd5c9f9f94dc3e4a4320b9d222fa
 SHA512:
-  metadata.gz: db7ea2bc3c6e992848e569c695dddb5923d8aeba7f289eb845c6feea58b7150152317df655540350db6967d0871b93ebaa6e7fc82c475742b6ad95f98c779cb1
-  data.tar.gz: c98d93c9fd42393475a09560131d125eafe6d5f43ac429b333a2b2dfecfacf4c9fb8035c5a1cc3234c1209417591ba86aaac409501750a5c1b1c013198904b23
+  metadata.gz: 885e5a8cc2397dfedbe970b5f85e8dc952275986912149c3a24a1068b32b1c0922b7d1fb9a19db93133410d130ccbe4cda3d45218dc15bbc9b43baf5070cf0bb
+  data.tar.gz: f2a6c4b200eb88f247c16a4d87b4807a083042050e862a58fb7392bfbb25428f7a710ba3c1d1bf67fff0c02f1a1ff2e9fc443107f4f2a987e7147d4b5a965ab1

data/.travis.yml CHANGED Viewed

@@ -7,8 +7,6 @@ before_install:
   - gem update bundler
 language: ruby
 rvm:
-  - 2.0
-  - 2.1
   - 2.2
   - 2.3
   - 2.4

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 ## Unreleased
+## 0.19.0
+- Drop 2.0 and 2.1 from support Ruby versions
+- Rename `Sanitize` as `FinalSanitizer`
+- Add `:strict` context for stricter sanitization
 ## 0.18.0
 - Extract heading decoration logic from Greenmat renderer to `Toc` filter

data/lib/qiita/markdown.rb CHANGED Viewed

@@ -11,16 +11,17 @@ require "qiita/markdown/filters/checkbox"
 require "qiita/markdown/filters/code"
 require "qiita/markdown/filters/emoji"
 require "qiita/markdown/filters/external_link"
+require "qiita/markdown/filters/final_sanitizer"
 require "qiita/markdown/filters/footnote"
 require "qiita/markdown/filters/greenmat"
 require "qiita/markdown/filters/group_mention"
 require "qiita/markdown/filters/image_link"
 require "qiita/markdown/filters/mention"
-require "qiita/markdown/filters/sanitize"
 require "qiita/markdown/filters/simplify"
 require "qiita/markdown/filters/syntax_highlight"
 require "qiita/markdown/filters/toc"
 require "qiita/markdown/filters/truncate"
+require "qiita/markdown/filters/user_input_sanitizer"
 require "qiita/markdown/greenmat/heading_rendering"
 require "qiita/markdown/greenmat/html_renderer"
 require "qiita/markdown/greenmat/html_toc_renderer"

data/lib/qiita/markdown/filters/{sanitize.rb → final_sanitizer.rb} RENAMED Viewed

@@ -3,7 +3,13 @@ module Qiita
     module Filters
       # Sanitizes undesirable elements by whitelist-based rule.
       # You can pass optional :rule and :script context.
-      class Sanitize < HTML::Pipeline::Filter
+      #
+      # Since this filter is applied at the end of html-pipeline, it's rules
+      # are intentionally weakened to allow elements and attributes which are
+      # generated by other filters.
+      #
+      # @see Qiita::Markdown::Filters::UserInputSanitizerr
+      class FinalSanitizer < HTML::Pipeline::Filter
         # Wraps a node env to transform invalid node.
         class TransformableNode
           def self.call(*args)

data/lib/qiita/markdown/filters/simplify.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Qiita
       # A filter for simplifying document structure by removing complex markups
       # (mainly block elements) and complex contents.
       #
-      # The logic of this filter is similar to the `Sanitize` filter, but this
+      # The logic of this filter is similar to the `FinalSanitizer` filter, but this
       # does not use the `sanitize` gem internally for the following reasons:
       #
       # * Each filter should do only its own responsibility, and this filter is
@@ -12,7 +12,7 @@ module Qiita
       #
       # * The `sanitize` gem automatically adds extra transformers even if we
       #   want to clean up only some elements, and they would be run in the
-      #   `Sanitize` filter later.
+      #   `FinalSanitizer` filter later.
       #   https://github.com/rgrove/sanitize/blob/v3.1.2/lib/sanitize.rb#L77-L100
       class Simplify < HTML::Pipeline::Filter
         SIMPLE_ELEMENTS = %w[a b code em i ins q s samp span strike strong sub sup var]

data/lib/qiita/markdown/filters/user_input_sanitizer.rb ADDED Viewed

@@ -0,0 +1,102 @@
+module Qiita
+  module Markdown
+    module Filters
+      # Sanitizes user input if :strict context is given.
+      class UserInputSanitizer < HTML::Pipeline::Filter
+        class AttributeFilter
+          FILTERS = {
+            "a" => {
+              "class" => %w[autolink],
+              "rel" => %w[footnote url],
+              "rev" => %w[footnote],
+            },
+            "sup" => {
+              "id" => /\Afnref\d+\z/,
+            },
+            "li" => {
+              "id" => /\Afn\d+\z/,
+            },
+          }.freeze
+          DELIMITER = " ".freeze
+          def self.call(*args)
+            new(*args).transform
+          end
+          def initialize(env)
+            @env = env
+          end
+          def transform
+            return unless FILTERS.key?(name)
+            FILTERS[name].each_pair do |attr, pattern|
+              filter_attribute(attr, pattern) if node.attributes.key?(attr)
+            end
+          end
+          private
+          def filter_attribute(attr, pattern)
+            node[attr] = node[attr].split(DELIMITER).select do |value|
+              pattern.is_a?(Array) ? pattern.include?(value) : (pattern =~ value)
+            end.join(DELIMITER)
+          end
+          def name
+            @env[:node_name]
+          end
+          def node
+            @env[:node]
+          end
+        end
+        RULE = {
+          elements: %w[
+            a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
+            hr i img input ins kbd li ol p pre q rp rt ruby s samp strike strong sub
+            summary sup table tbody td tfoot th thead tr ul var
+          ],
+          attributes: {
+            "a"          => %w[class href rel title],
+            "blockquote" => %w[cite],
+            "code"       => %w[data-metadata],
+            "div"        => %w[class],
+            "font"       => %w[color],
+            "h1"         => %w[id],
+            "h2"         => %w[id],
+            "h3"         => %w[id],
+            "h4"         => %w[id],
+            "h5"         => %w[id],
+            "h6"         => %w[id],
+            "img"        => %w[alt height src title width],
+            "ins"        => %w[cite datetime],
+            "li"         => %w[id],
+            "q"          => %w[cite],
+            "sup"        => %w[id],
+            "td"         => %w[colspan rowspan style],
+            "th"         => %w[colspan rowspan style],
+          },
+          protocols: {
+            "a"          => { "href" => ["http", "https", "mailto", :relative] },
+            "blockquote" => { "cite" => ["http", "https", :relative] },
+            "q"          => { "cite" => ["http", "https", :relative] },
+          },
+          css: {
+            properties: %w[text-align],
+          },
+          remove_contents: %w[
+            script
+          ],
+          transformers: AttributeFilter,
+        }.freeze
+        def call
+          ::Sanitize.clean_node!(doc, RULE) if context[:strict]
+          doc
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/processor.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Qiita
       def self.default_filters
         [
           Filters::Greenmat,
+          Filters::UserInputSanitizer,
           Filters::ImageLink,
           Filters::Footnote,
           Filters::Code,
@@ -20,7 +21,7 @@ module Qiita
           Filters::Mention,
           Filters::GroupMention,
           Filters::ExternalLink,
-          Filters::Sanitize,
+          Filters::FinalSanitizer,
         ]
       end
     end

data/lib/qiita/markdown/summary_processor.rb CHANGED Viewed

@@ -16,11 +16,12 @@ module Qiita
       def self.default_filters
         [
           Filters::Greenmat,
+          Filters::UserInputSanitizer,
           Filters::Simplify,
           Filters::Emoji,
           Filters::Mention,
           Filters::ExternalLink,
-          Filters::Sanitize,
+          Filters::FinalSanitizer,
           Filters::Truncate,
         ]
       end

data/lib/qiita/markdown/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.18.0"
+    VERSION = "0.19.0"
   end
 end

data/qiita-markdown.gemspec CHANGED Viewed

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
-  spec.required_ruby_version = ">= 2.0.0"
+  spec.required_ruby_version = ">= 2.2.0"
   spec.add_dependency "gemoji"
   spec.add_dependency "github-linguist", "~> 4.0"

data/spec/qiita/markdown/processor_spec.rb CHANGED Viewed

@@ -18,1025 +18,1164 @@ describe Qiita::Markdown::Processor do
       described_class.new(context).call(markdown)
     end
-    context "with valid condition" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          example
-        EOS
-      end
+    shared_examples_for "basic markdown syntax" do
+      context "with valid condition" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            example
+          EOS
+        end
-      it "returns a Hash with HTML output and other metadata" do
-        expect(result[:codes]).to be_an Array
-        expect(result[:mentioned_usernames]).to be_an Array
-        expect(result[:output]).to be_a Nokogiri::HTML::DocumentFragment
+        it "returns a Hash with HTML output and other metadata" do
+          expect(result[:codes]).to be_an Array
+          expect(result[:mentioned_usernames]).to be_an Array
+          expect(result[:output]).to be_a Nokogiri::HTML::DocumentFragment
+        end
       end
-    end
-    context "with HTML-characters" do
-      let(:markdown) do
-        "<>&"
-      end
+      context "with HTML-characters" do
+        let(:markdown) do
+          "<>&"
+        end
-      it "sanitizes them" do
-        should eq <<-EOS.strip_heredoc
-          <p>&lt;&gt;&amp;</p>
-        EOS
+        it "sanitizes them" do
+          should eq <<-EOS.strip_heredoc
+            <p>&lt;&gt;&amp;</p>
+          EOS
+        end
       end
-    end
-    context "with email address" do
-      let(:markdown) do
-        "test@example.com"
-      end
+      context "with email address" do
+        let(:markdown) do
+          "test@example.com"
+        end
-      it "replaces with mailto link" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="mailto:test@example.com" class="autolink">test@example.com</a></p>
-        EOS
+        it "replaces with mailto link" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="mailto:test@example.com" class="autolink">test@example.com</a></p>
+          EOS
+        end
       end
-    end
-    context "with headings" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          # a
-          ## a
-          ### a
-          ### a
-        EOS
-      end
+      context "with headings" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            # a
+            ## a
+            ### a
+            ### a
+          EOS
+        end
-      it "adds ID for ToC" do
-        should eq <<-EOS.strip_heredoc
+        it "adds ID for ToC" do
+          should eq <<-EOS.strip_heredoc
-          <h1>
-          <span id="a" class="fragment"></span><a href="#a"><i class="fa fa-link"></i></a>a</h1>
+            <h1>
+            <span id="a" class="fragment"></span><a href="#a"><i class="fa fa-link"></i></a>a</h1>
-          <h2>
-          <span id="a-1" class="fragment"></span><a href="#a-1"><i class="fa fa-link"></i></a>a</h2>
+            <h2>
+            <span id="a-1" class="fragment"></span><a href="#a-1"><i class="fa fa-link"></i></a>a</h2>
-          <h3>
-          <span id="a-2" class="fragment"></span><a href="#a-2"><i class="fa fa-link"></i></a>a</h3>
+            <h3>
+            <span id="a-2" class="fragment"></span><a href="#a-2"><i class="fa fa-link"></i></a>a</h3>
-          <h3>
-          <span id="a-3" class="fragment"></span><a href="#a-3"><i class="fa fa-link"></i></a>a</h3>
-        EOS
+            <h3>
+            <span id="a-3" class="fragment"></span><a href="#a-3"><i class="fa fa-link"></i></a>a</h3>
+          EOS
+        end
       end
-    end
-    context "with heading whose title includes special HTML characters" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          # <b>R&amp;B</b>
-        EOS
-      end
+      context "with heading whose title includes special HTML characters" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            # <b>R&amp;B</b>
+          EOS
+        end
-      it "generates fragment identifier by sanitizing the special characters in the title" do
-        should eq <<-EOS.strip_heredoc
+        it "generates fragment identifier by sanitizing the special characters in the title" do
+          should eq <<-EOS.strip_heredoc
-          <h1>
-          <span id="rb" class="fragment"></span><a href="#rb"><i class="fa fa-link"></i></a><b>R&amp;B</b>
-          </h1>
-        EOS
+            <h1>
+            <span id="rb" class="fragment"></span><a href="#rb"><i class="fa fa-link"></i></a><b>R&amp;B</b>
+            </h1>
+          EOS
+        end
       end
-    end
-    context "with manually inputted heading HTML tags without id attribute" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <h1>foo</h1>
-        EOS
-      end
+      context "with manually inputted heading HTML tags without id attribute" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <h1>foo</h1>
+          EOS
+        end
-      it "does nothing" do
-        should eq <<-EOS.strip_heredoc
-          <h1>foo</h1>
-        EOS
+        it "does nothing" do
+          should eq <<-EOS.strip_heredoc
+            <h1>foo</h1>
+          EOS
+        end
       end
-    end
-    context "with code" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```foo.rb
-          puts 'hello world'
-          ```
-        EOS
-      end
+      context "with code" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```foo.rb
+            puts 'hello world'
+            ```
+          EOS
+        end
-      it "returns detected codes" do
-        expect(result[:codes]).to eq [
-          {
-            code: "puts 'hello world'\n",
-            filename: "foo.rb",
-            language: "ruby",
-          },
-        ]
+        it "returns detected codes" do
+          expect(result[:codes]).to eq [
+            {
+              code: "puts 'hello world'\n",
+              filename: "foo.rb",
+              language: "ruby",
+            },
+          ]
+        end
       end
-    end
-    context "with code & filename" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```example.rb
-          1
-          ```
-        EOS
-      end
+      context "with code & filename" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```example.rb
+            1
+            ```
+          EOS
+        end
-      it "returns code-frame, code-lang, and highlighted pre element" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="ruby">
-          <div class="code-lang"><span class="bold">example.rb</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
+        it "returns code-frame, code-lang, and highlighted pre element" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="ruby">
+            <div class="code-lang"><span class="bold">example.rb</span></div>
+            <div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div>
+            </div>
+          EOS
+        end
       end
-    end
-    context "with code & filename with .php" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```example.php
-          1
-          ```
-        EOS
-      end
+      context "with code & filename with .php" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```example.php
+            1
+            ```
+          EOS
+        end
-      it "returns PHP code-frame" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="php">
-          <div class="code-lang"><span class="bold">example.php</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
+        it "returns PHP code-frame" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="php">
+            <div class="code-lang"><span class="bold">example.php</span></div>
+            <div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div>
+            </div>
+          EOS
+        end
       end
-    end
-    context "with malicious script in filename" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```js:test<script>alert(1)</script>
-          1
-          ```
-        EOS
-      end
+      context "with code & no filename" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```ruby
+            1
+            ```
+          EOS
+        end
-      it "sanitizes script element" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="js">
-          <div class="code-lang"><span class="bold">test</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
+        it "returns code-frame and highlighted pre element" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="ruby"><div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div></div>
+          EOS
+        end
       end
-    end
-    context "with code & no filename" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```ruby
-          1
-          ```
-        EOS
-      end
+      context "with undefined but aliased language" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```zsh
+            true
+            ```
+          EOS
+        end
-      it "returns code-frame and highlighted pre element" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="ruby"><div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div></div>
-        EOS
+        it "returns aliased language name" do
+          expect(result[:codes]).to eq [
+            {
+              code: "true\n",
+              filename: nil,
+              language: "bash",
+            },
+          ]
+        end
       end
-    end
-    context "with undefined but aliased language" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```zsh
-          true
-          ```
-        EOS
-      end
+      context "with code with leading and trailing newlines" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```
-      it "returns aliased language name" do
-        expect(result[:codes]).to eq [
-          {
-            code: "true\n",
-            filename: nil,
-            language: "bash",
-          },
-        ]
-      end
-    end
+            foo
-    context "with code with leading and trailing newlines" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```
+            ```
+          EOS
+        end
-          foo
+        it "does not strip the newlines" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>
+            foo
-          ```
-        EOS
+            </pre></div></div>
+           EOS
+        end
       end
-      it "does not strip the newlines" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>
-          foo
+      context "with mention" do
+        let(:markdown) do
+          "@alice"
+        end
-          </pre></div></div>
-         EOS
+        it "replaces mention with link" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/alice" class="user-mention js-hovercard" title="alice" data-hovercard-target-type="user" data-hovercard-target-name="alice">@alice</a>
+          EOS
+        end
       end
-    end
-    context "with script element" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <script>alert(1)</script>
-        EOS
-      end
+      context "with mention to short name user" do
+        let(:markdown) do
+          "@al"
+        end
-      it "removes script element" do
-        should eq "\n"
+        it "replaces mention with link" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/al" class="user-mention js-hovercard" title="al" data-hovercard-target-type="user" data-hovercard-target-name="al">@al</a>
+          EOS
+        end
       end
-    end
-    context "with script context" do
-      before do
-        context[:script] = true
-      end
+      context "with mentions in complex patterns" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            @alice
+            ```
+              @bob
+            ```
+            @charlie/@dave
+            @ell_en
+            @fran-k
+            @Isaac
+            @justin
+            @justin
+            @mallory@github
+            @#{'o' * 33}
+            @o
+            @o-
+            @-o
+            @o_
+            @_o
+          EOS
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <p><script>alert(1)</script></p>
-        EOS
+        it "extracts mentions correctly" do
+          expect(result[:mentioned_usernames]).to eq %w[
+            alice
+            dave
+            ell_en
+            fran-k
+            Isaac
+            justin
+            mallory@github
+            o_
+            _o
+          ]
+        end
       end
-      it "allows script element" do
-        should eq markdown
-      end
-    end
+      context "with mention-like filename on code block" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```ruby:@alice
+            1
+            ```
+          EOS
+        end
-    context "with allowed attributes" do
-      before do
-        context[:script] = true
+        it "does not treat it as mention" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <div class="code-frame" data-lang="ruby">
+            <div class="code-lang"><span class="bold">@alice</span></div>
+            <div class="highlight"><pre><span></span><span class="mi">1</span>
+            </pre></div>
+            </div>
+          EOS
+        end
       end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <p><script async data-a="b" type="text/javascript">alert(1)</script></p>
-        EOS
-      end
+      context "with mention in blockquote" do
+        let(:markdown) do
+          "> @alice"
+        end
-      it "allows data-attributes" do
-        should eq markdown
+        it "does not replace mention with link" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <blockquote>
+            <p>@alice</p>
+            </blockquote>
+          EOS
+        end
       end
-    end
-    context "with iframe" do
-      before do
-        context[:script] = true
-      end
+      context "with mention to user whose name starts and ends with underscore" do
+        let(:markdown) do
+          "@_alice_"
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <iframe width="1" height="2" src="//example.com" frameborder="0" allowfullscreen></iframe>
-        EOS
+        it "does not emphasize the name" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/_alice_" class="user-mention js-hovercard" title="_alice_" data-hovercard-target-type="user" data-hovercard-target-name="_alice_">@_alice_</a>
+          EOS
+        end
       end
-      it "allows iframe with some attributes" do
-        should eq markdown
-      end
-    end
+      context "with allowed_usernames context" do
+        before do
+          context[:allowed_usernames] = ["alice"]
+        end
-    context "with mention" do
-      let(:markdown) do
-        "@alice"
-      end
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            @alice
+            @bob
+          EOS
+        end
-      it "replaces mention with link" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/alice" class="user-mention js-hovercard" title="alice" data-hovercard-target-type="user" data-hovercard-target-name="alice">@alice</a>
-        EOS
+        it "limits mentions to allowed usernames" do
+          expect(result[:mentioned_usernames]).to eq ["alice"]
+        end
       end
-    end
-    context "with mention to short name user" do
-      let(:markdown) do
-        "@al"
-      end
+      context "with @all and allowed_usernames context" do
+        before do
+          context[:allowed_usernames] = ["alice", "bob"]
+        end
+        let(:markdown) do
+          "@all"
+        end
-      it "replaces mention with link" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/al" class="user-mention js-hovercard" title="al" data-hovercard-target-type="user" data-hovercard-target-name="al">@al</a>
-        EOS
+        it "links it and reports all allowed users as mentioned user names" do
+          should include(<<-EOS.strip_heredoc.rstrip)
+            <a href="/" class="user-mention" title="all">@all</a>
+          EOS
+          expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
+        end
       end
-    end
-    context "with mentions in complex patterns" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          @alice
+      context "with @all and @alice" do
+        before do
+          context[:allowed_usernames] = ["alice", "bob"]
+        end
-          ```
-            @bob
-          ```
-          @charlie/@dave
-          @ell_en
-          @fran-k
-          @Isaac
-          @justin
-          @justin
-          @mallory@github
-          @#{'o' * 33}
-          @o
-          @o-
-          @-o
-          @o_
-          @_o
-        EOS
-      end
-      it "extracts mentions correctly" do
-        expect(result[:mentioned_usernames]).to eq %w[
-          alice
-          dave
-          ell_en
-          fran-k
-          Isaac
-          justin
-          mallory@github
-          o_
-          _o
-        ]
-      end
-    end
+        let(:markdown) do
+          "@all @alice"
+        end
-    context "with mention-like filename on code block" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```ruby:@alice
-          1
-          ```
-        EOS
+        it "does not duplicate mentioned user names" do
+          expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
+        end
       end
-      it "does not treat it as mention" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <div class="code-frame" data-lang="ruby">
-          <div class="code-lang"><span class="bold">@alice</span></div>
-          <div class="highlight"><pre><span></span><span class="mi">1</span>
-          </pre></div>
-          </div>
-        EOS
-      end
-    end
+      context "with @all and no allowed_usernames context" do
+        let(:markdown) do
+          "@all"
+        end
-    context "with mention in blockquote" do
-      let(:markdown) do
-        "> @alice"
+        it "does not repond to @all" do
+          should eq "<p>@all</p>\n"
+          expect(result[:mentioned_usernames]).to eq []
+        end
       end
-      it "does not replace mention with link" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <blockquote>
-          <p>@alice</p>
-          </blockquote>
-        EOS
-      end
-    end
+      context "with group mention without group_memberion_url_generator" do
+        let(:markdown) do
+          "@alice/bob"
+        end
-    context "with mention to user whose name starts and ends with underscore" do
-      let(:markdown) do
-        "@_alice_"
+        it "does not replace it" do
+          is_expected.to eq <<-EOS.strip_heredoc
+            <p>@alice/bob</p>
+          EOS
+        end
       end
-      it "does not emphasize the name" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/_alice_" class="user-mention js-hovercard" title="_alice_" data-hovercard-target-type="user" data-hovercard-target-name="_alice_">@_alice_</a>
-        EOS
-      end
-    end
+      context "with group mention" do
+        let(:context) do
+          super().merge(group_mention_url_generator: lambda do |group|
+            "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
+          end)
+        end
-    context "with allowed_usernames context" do
-      before do
-        context[:allowed_usernames] = ["alice"]
-      end
+        let(:markdown) do
+          "@alice/bob"
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          @alice
-          @bob
-        EOS
+        it "replaces it with preferred link and updates :mentioned_groups" do
+          is_expected.to eq <<-EOS.strip_heredoc
+            <p><a href="https://alice.example.com/groups/bob" rel="nofollow noopener" target="_blank">@alice/bob</a></p>
+          EOS
+          expect(result[:mentioned_groups]).to eq [{
+            group_url_name: "bob",
+            team_url_name: "alice",
+          }]
+        end
       end
-      it "limits mentions to allowed usernames" do
-        expect(result[:mentioned_usernames]).to eq ["alice"]
-      end
-    end
+      context "with group mention following another text" do
+        let(:context) do
+          super().merge(group_mention_url_generator: lambda do |group|
+            "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
+          end)
+        end
-    context "with @all and allowed_usernames context" do
-      before do
-        context[:allowed_usernames] = ["alice", "bob"]
-      end
+        let(:markdown) do
+          "FYI @alice/bob"
+        end
-      let(:markdown) do
-        "@all"
+        it "preserves space after preceding text" do
+          is_expected.to start_with("<p>FYI <a ")
+        end
       end
-      it "links it and reports all allowed users as mentioned user names" do
-        should include(<<-EOS.strip_heredoc.rstrip)
-          <a href="/" class="user-mention" title="all">@all</a>
-        EOS
-        expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
-      end
-    end
+      context "with normal link" do
+        let(:markdown) do
+          "[](/example)"
+        end
-    context "with @all and @alice" do
-      before do
-        context[:allowed_usernames] = ["alice", "bob"]
+        it "creates link for that" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="/example"></a></p>
+          EOS
+        end
       end
-      let(:markdown) do
-        "@all @alice"
-      end
+      context "with anchor link" do
+        let(:markdown) do
+          "[](#example)"
+        end
-      it "does not duplicate mentioned user names" do
-        expect(result[:mentioned_usernames]).to eq context[:allowed_usernames]
+        it "creates link for that" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="#example"></a></p>
+          EOS
+        end
       end
-    end
-    context "with @all and no allowed_usernames context" do
-      let(:markdown) do
-        "@all"
-      end
+      context "with link with title" do
+        let(:markdown) do
+          '[](/example "Title")'
+        end
-      it "does not repond to @all" do
-        should eq "<p>@all</p>\n"
-        expect(result[:mentioned_usernames]).to eq []
+        it "creates link for that with the title" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="/example" title="Title"></a></p>
+          EOS
+        end
       end
-    end
-    context "with group mention without group_memberion_url_generator" do
-      let(:markdown) do
-        "@alice/bob"
-      end
+      context "with raw URL" do
+        let(:markdown) do
+          "http://example.com/search?q=日本語"
+        end
-      it "does not replace it" do
-        is_expected.to eq <<-EOS.strip_heredoc
-          <p>@alice/bob</p>
-        EOS
+        it "creates link for that with .autolink class" do
+          should eq(
+            '<p><a href="http://example.com/search?q=%E6%97%A5%E6%9C%AC%E8%AA%9E" class="autolink">' \
+            "http://example.com/search?q=日本語</a></p>\n"
+          )
+        end
       end
-    end
-    context "with group mention" do
-      let(:context) do
-        super().merge(group_mention_url_generator: lambda do |group|
-          "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
-        end)
-      end
+      context "with javascript: link" do
+        let(:markdown) do
+          "[](javascript:alert(1))"
+        end
-      let(:markdown) do
-        "@alice/bob"
+        it "removes that link by creating empty a element" do
+          should eq <<-EOS.strip_heredoc
+            <p><a></a></p>
+          EOS
+        end
       end
-      it "replaces it with preferred link and updates :mentioned_groups" do
-        is_expected.to eq <<-EOS.strip_heredoc
-          <p><a href="https://alice.example.com/groups/bob" rel="nofollow noopener" target="_blank">@alice/bob</a></p>
-        EOS
-        expect(result[:mentioned_groups]).to eq [{
-          group_url_name: "bob",
-          team_url_name: "alice",
-        }]
-      end
-    end
+      context "with emoji" do
+        let(:markdown) do
+          ":+1:"
+        end
-    context "with group mention following another text" do
-      let(:context) do
-        super().merge(group_mention_url_generator: lambda do |group|
-          "https://#{group[:team_url_name]}.example.com/groups/#{group[:group_url_name]}"
-        end)
+        it "replaces it with img element" do
+          should include("img")
+        end
       end
-      let(:markdown) do
-        "FYI @alice/bob"
-      end
+      context "with emoji in pre or code element" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```
+            :+1:
+            ```
+          EOS
+        end
-      it "preserves space after preceding text" do
-        is_expected.to start_with("<p>FYI <a ")
+        it "does not replace it" do
+          should_not include("img")
+        end
       end
-    end
-    context "with normal link" do
-      let(:markdown) do
-        "[](/example)"
-      end
+      context "with image notation" do
+        let(:markdown) do
+          "![a](http://example.com/b.png)"
+        end
-      it "creates link for that" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="/example"></a></p>
-        EOS
+        it "wraps it in a element" do
+          should eq %(<p><a href="http://example.com/b.png" target="_blank">) +
+                    %(<img src="http://example.com/b.png" alt="a"></a></p>\n)
+        end
       end
-    end
-    context "with anchor link" do
-      let(:markdown) do
-        "[](#example)"
-      end
+      context "with image notation with title" do
+        let(:markdown) do
+          '![a](http://example.com/b.png "Title")'
+        end
-      it "creates link for that" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="#example"></a></p>
-        EOS
+        it "generates <img> tag with the title" do
+          should eq %(<p><a href="http://example.com/b.png" target="_blank">) +
+                    %(<img src="http://example.com/b.png" alt="a" title="Title"></a></p>\n)
+        end
       end
-    end
-    context "with raw URL" do
-      let(:markdown) do
-        "http://example.com/search?q=日本語"
-      end
+      context "with <img> tag with width and height attribute (for Retina image)" do
+        let(:markdown) do
+          '<img width="80" height="48" alt="a" src="http://example.com/b.png">'
+        end
-      it "creates link for that with .autolink class" do
-        should eq(
-          '<p><a href="http://example.com/search?q=%E6%97%A5%E6%9C%AC%E8%AA%9E" class="autolink">' \
-          "http://example.com/search?q=日本語</a></p>\n"
-        )
+        it "wraps it in a element while keeping the width attribute" do
+          should eq %(<p><a href="http://example.com/b.png" target="_blank">) +
+                    %(<img width="80" height="48" alt="a" src="http://example.com/b.png"></a></p>\n)
+        end
       end
-    end
-    context "with javascript: link" do
-      let(:markdown) do
-        "[](javascript:alert(1))"
-      end
+      context "with colon-only label" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```:
+            1
+            ```
+          EOS
+        end
-      it "removes that link by creating empty a element" do
-        should eq <<-EOS.strip_heredoc
-          <p><a></a></p>
-        EOS
+        it "does not replace it" do
+          expect(result[:codes]).to eq [
+            {
+              code: "1\n",
+              filename: nil,
+              language: nil,
+            },
+          ]
+        end
       end
-    end
-    context "with emoji" do
-      let(:markdown) do
-        ":+1:"
-      end
+      context "with font element with color attribute" do
+        let(:markdown) do
+          %[<font color="red">test</font>]
+        end
-      it "replaces it with img element" do
-        should include("img")
+        it "allows font element with color attribute" do
+          should eq <<-EOS.strip_heredoc
+            <p>#{markdown}</p>
+          EOS
+        end
       end
-    end
-    context "with emoji in pre or code element" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```
-          :+1:
-          ```
-        EOS
-      end
+      context "with task list" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            - [ ] a
+            - [x] b
+          EOS
+        end
-      it "does not replace it" do
-        should_not include("img")
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" disabled>a</li>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" checked disabled>b</li>
+            </ul>
+          EOS
+        end
       end
-    end
-    context "with image notation" do
-      let(:markdown) do
-        "![a](http://example.com/b.png)"
-      end
+      context "with nested task list" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            - [ ] a
+             - [ ] b
+          EOS
+        end
-      it "wraps it in a element" do
-        should eq '<p><a href="http://example.com/b.png" target="_blank">' +
-                  %(<img src="http://example.com/b.png" alt="a"></a></p>\n)
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" disabled>a
+            <ul>
+            <li class="task-list-item">
+            <input type="checkbox" class="task-list-item-checkbox" disabled>b</li>
+            </ul>
+            </li>
+            </ul>
+          EOS
+        end
       end
-    end
-    context "with colon-only label" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```:
-          1
-          ```
-        EOS
-      end
+      context "with task list in code block" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```
+            - [ ] a
+            - [x] b
+            ```
+          EOS
+        end
-      it "does not replace it" do
-        expect(result[:codes]).to eq [
-          {
-            code: "1\n",
-            filename: nil,
-            language: nil,
-          },
-        ]
+        it "does not replace checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>- [ ] a
+            - [x] b
+            </pre></div></div>
+          EOS
+        end
       end
-    end
-    context "with font element with color attribute" do
-      let(:markdown) do
-        %[<font color="red">test</font>]
-      end
+      context "with empty line between task list" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            - [ ] a
-      it "allows font element with color attribute" do
-        should eq <<-EOS.strip_heredoc
-          <p>#{markdown}</p>
-        EOS
-      end
-    end
+            - [x] b
+          EOS
+        end
-    context "with task list" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          - [ ] a
-          - [x] b
-        EOS
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" disabled>a</p></li>
+            <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" checked disabled>b</p></li>
+            </ul>
+          EOS
+        end
       end
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" disabled>a</li>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" checked disabled>b</li>
-          </ul>
-        EOS
-      end
-    end
+      context "with empty list" do
+        let(:markdown) do
+          "- \n"
+        end
-    context "with nested task list" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          - [ ] a
-           - [ ] b
-        EOS
+        it "inserts checkbox" do
+          should eq <<-EOS.strip_heredoc
+            <ul>
+            <li>
+            </ul>
+          EOS
+        end
       end
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" disabled>a
+      context "with text-aligned table" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            | a  | b  | c   |
+            |:---|---:|:---:|
+            | a  | b  | c   |
+          EOS
+        end
-          <ul>
-          <li class="task-list-item">
-          <input type="checkbox" class="task-list-item-checkbox" disabled>b</li>
-          </ul>
-          </li>
-          </ul>
-        EOS
+        it "creates table element with text-align style" do
+          should eq <<-EOS.strip_heredoc
+            <table>
+            <thead>
+            <tr>
+            <th style="text-align: left">a</th>
+            <th style="text-align: right">b</th>
+            <th style="text-align: center">c</th>
+            </tr>
+            </thead>
+            <tbody>
+            <tr>
+            <td style="text-align: left">a</td>
+            <td style="text-align: right">b</td>
+            <td style="text-align: center">c</td>
+            </tr>
+            </tbody>
+            </table>
+          EOS
+        end
       end
-    end
-    context "with task list in code block" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          ```
-          - [ ] a
-          - [x] b
-          ```
-        EOS
-      end
+      context "with footenotes syntax" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            [^1]
+            [^1]: test
+          EOS
+        end
-      it "does not replace checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>- [ ] a
-          - [x] b
-          </pre></div></div>
-        EOS
-      end
-    end
+        it "generates footnotes elements" do
+          should eq <<-EOS.strip_heredoc
+            <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
-    context "with empty line between task list" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          - [ ] a
+            <div class="footnotes">
+            <hr>
+            <ol>
-          - [x] b
-        EOS
-      end
+            <li id="fn1">
+            <p>test <a href="#fnref1">↩</a></p>
+            </li>
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" disabled>a</p></li>
-          <li class="task-list-item"><p><input type="checkbox" class="task-list-item-checkbox" checked disabled>b</p></li>
-          </ul>
-        EOS
+            </ol>
+            </div>
+          EOS
+        end
       end
-    end
-    context "with empty list" do
-      let(:markdown) do
-        "- \n"
-      end
+      context "with manually written link inside of <sup> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <sup>[Example](http://example.com/)</sup>
+          EOS
+        end
-      it "inserts checkbox" do
-        should eq <<-EOS.strip_heredoc
-          <ul>
-          <li>
-          </ul>
-        EOS
+        it "does not confuse the structure with automatically generated footnote reference" do
+          should eq <<-EOS.strip_heredoc
+            <p><sup><a href="http://example.com/">Example</a></sup></p>
+          EOS
+        end
       end
-    end
-    context "with text-aligned table" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          | a  | b  | c   |
-          |:---|---:|:---:|
-          | a  | b  | c   |
-        EOS
-      end
-      it "creates table element with text-align style" do
-        should eq <<-EOS.strip_heredoc
-          <table>
-          <thead>
-          <tr>
-          <th style="text-align: left">a</th>
-          <th style="text-align: right">b</th>
-          <th style="text-align: center">c</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-          <td style="text-align: left">a</td>
-          <td style="text-align: right">b</td>
-          <td style="text-align: center">c</td>
-          </tr>
-          </tbody>
-          </table>
-        EOS
+      context "with manually written <a> tag with strange href inside of <sup> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <sup><a href="#foo.1">Link</a></sup>
+          EOS
+        end
+        it "does not confuse the structure with automatically generated footnote reference" do
+          should eq <<-EOS.strip_heredoc
+            <p><sup><a href="#foo.1">Link</a></sup></p>
+          EOS
+        end
       end
-    end
-    context "with footenotes syntax" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          [^1]
-          [^1]: test
-        EOS
+      context "with markdown: { footnotes: false } context" do
+        before do
+          context[:markdown] = { footnotes: false }
+        end
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            [^1]
+            [^1]: test
+          EOS
+        end
+        it "does not generate footnote elements" do
+          should eq <<-EOS.strip_heredoc
+            <p><a href="test">^1</a></p>
+          EOS
+        end
       end
-      it "generates footnotes elements" do
-        should eq <<-EOS.strip_heredoc
-          <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
+      context "with emoji_names and emoji_url_generator context" do
+        before do
+          context[:emoji_names] = %w(foo o)
-          <div class="footnotes">
-          <hr>
-          <ol>
+          context[:emoji_url_generator] = proc do |emoji_name|
+            "https://example.com/foo.png" if emoji_name == "foo"
+          end
+        end
-          <li id="fn1">
-          <p>test <a href="#fnref1">↩</a></p>
-          </li>
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            :foo: :o: :x:
+          EOS
+        end
-          </ol>
-          </div>
-        EOS
-      end
-    end
+        it "replaces only the specified emoji names with img elements with custom URL" do
+          should include(
+            '<img class="emoji" title=":foo:" alt=":foo:" src="https://example.com/foo.png"',
+            '<img class="emoji" title=":o:" alt=":o:" src="/images/emoji/unicode/2b55.png"'
+          )
-    context "with manually written link inside of <sup> tag" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <sup>[Example](http://example.com/)</sup>
-        EOS
+          should_not include(
+            '<img class="emoji" title=":x:" alt=":x:"'
+          )
+        end
       end
-      it "does not confuse the structure with automatically generated footnote reference" do
-        should eq <<-EOS.strip_heredoc
-          <p><sup><a href="http://example.com/">Example</a></sup></p>
-        EOS
-      end
-    end
+      context "with internal URL" do
+        let(:markdown) do
+          "http://qiita.com/?a=b"
+        end
-    context "with manually written <a> tag with strange href inside of <sup> tag" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <sup><a href="#foo.1">Link</a></sup>
-        EOS
-      end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-      it "does not confuse the structure with automatically generated footnote reference" do
-        should eq <<-EOS.strip_heredoc
-          <p><sup><a href="#foo.1">Link</a></sup></p>
-        EOS
+        it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://qiita.com/?a=b" class="autolink">' \
+            "http://qiita.com/?a=b</a></p>\n"
+          )
+        end
       end
-    end
-    context "with markdown: { footnotes: false } context" do
-      before do
-        context[:markdown] = { footnotes: false }
-      end
+      context "with external URL" do
+        let(:markdown) do
+          "http://external.com/?a=b"
+        end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          [^1]
-          [^1]: test
-        EOS
-      end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-      it "does not generate footnote elements" do
-        should eq <<-EOS.strip_heredoc
-          <p><a href="test">^1</a></p>
-        EOS
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://external.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
+            "http://external.com/?a=b</a></p>\n"
+          )
+        end
       end
-    end
-    context "with data-attributes" do
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <div data-a="b"></div>
-        EOS
-      end
+      context "with internal anchor tag" do
+        let(:markdown) do
+          '<a href="http://qiita.com/?a=b">foobar</a>'
+        end
-      it "sanitizes data-attributes" do
-        should eq <<-EOS.strip_heredoc
-          <div></div>
-        EOS
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with data-attributes and :script option" do
-      before do
-        context[:script] = true
+        it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            "<p><a href=\"http://qiita.com/?a=b\">foobar</a></p>\n"
+          )
+        end
       end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          <div data-a="b"></div>
-        EOS
-      end
+      context "with external anchor tag" do
+        let(:markdown) do
+          '<a href="http://external.com/?a=b">foobar</a>'
+        end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-      it "does not sanitize data-attributes" do
-        should eq <<-EOS.strip_heredoc
-          <div data-a="b"></div>
-        EOS
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
+          )
+        end
       end
-    end
-    context "with emoji_names and emoji_url_generator context" do
-      before do
-        context[:emoji_names] = %w(foo o)
+      context "with external URL which ends with the hostname parameter" do
+        let(:markdown) do
+          "http://qqqqqqiita.com/?a=b"
+        end
-        context[:emoji_url_generator] = proc do |emoji_name|
-          "https://example.com/foo.png" if emoji_name == "foo"
+        let(:context) do
+          { hostname: "qiita.com" }
         end
-      end
-      let(:markdown) do
-        <<-EOS.strip_heredoc
-          :foo: :o: :x:
-        EOS
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://qqqqqqiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
+            "http://qqqqqqiita.com/?a=b</a></p>\n"
+          )
+        end
       end
-      it "replaces only the specified emoji names with img elements with custom URL" do
-        should include(
-          '<img class="emoji" title=":foo:" alt=":foo:" src="https://example.com/foo.png"',
-          '<img class="emoji" title=":o:" alt=":o:" src="/images/emoji/unicode/2b55.png"'
-        )
+      context "with external anchor tag which ends with the hostname parameter" do
+        let(:markdown) do
+          '<a href="http://qqqqqqiita.com/?a=b">foobar</a>'
+        end
-        should_not include(
-          '<img class="emoji" title=":x:" alt=":x:"'
-        )
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with internal URL" do
-      let(:markdown) do
-        "http://qiita.com/?a=b"
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            "<p><a href=\"http://qqqqqqiita.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
+          )
+        end
       end
-      let(:context) do
-        { hostname: "qiita.com" }
-      end
+      context "with sub-domain URL of hostname parameter" do
+        let(:markdown) do
+          "http://sub.qiita.com/?a=b"
+        end
-      it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://qiita.com/?a=b" class="autolink">' \
-          "http://qiita.com/?a=b</a></p>\n"
-        )
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with external URL" do
-      let(:markdown) do
-        "http://external.com/?a=b"
+        it "creates link which has rel='nofollow noopener' and target='_blank'" do
+          should eq(
+            '<p><a href="http://sub.qiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
+            "http://sub.qiita.com/?a=b</a></p>\n"
+          )
+        end
       end
-      let(:context) do
-        { hostname: "qiita.com" }
-      end
+      context "with external anchor tag which has rel attribute" do
+        let(:markdown) do
+          '<a href="http://external.com/?a=b" rel="url">foobar</a>'
+        end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://external.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
-          "http://external.com/?a=b</a></p>\n"
-        )
-      end
-    end
+        let(:context) do
+          { hostname: "qiita.com" }
+        end
-    context "with internal anchor tag" do
-      let(:markdown) do
-        '<a href="http://qiita.com/?a=b">foobar</a>'
+        it "creates link which has rel='nofollow noopener' and target='_blank', and rel value is overwritten" do
+          should eq(
+            "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
+          )
+        end
       end
-      let(:context) do
-        { hostname: "qiita.com" }
-      end
+      context "with blockquote syntax" do
+        let(:markdown) do
+          "> foo"
+        end
-      it "creates link which does not have rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          "<p><a href=\"http://qiita.com/?a=b\">foobar</a></p>\n"
-        )
+        it "does not confuse it with HTML tag angle brackets" do
+          should eq "<blockquote>\n<p>foo</p>\n</blockquote>\n"
+        end
       end
     end
-    context "with external anchor tag" do
-      let(:markdown) do
-        '<a href="http://external.com/?a=b">foobar</a>'
-      end
+    shared_examples_for "script element" do |allowed:|
+      context "with script element" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <script>alert(1)</script>
+          EOS
+        end
-      let(:context) do
-        { hostname: "qiita.com" }
+        if allowed
+          it "allows script element" do
+            should eq markdown
+          end
+          context "and allowed attributes" do
+            let(:markdown) do
+              <<-EOS.strip_heredoc
+                <p><script async data-a="b" type="text/javascript">alert(1)</script></p>
+              EOS
+            end
+            it "allows data-attributes" do
+              should eq markdown
+            end
+          end
+        else
+          it "removes script element" do
+            should eq "\n"
+          end
+        end
       end
+    end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
-        )
+    shared_examples_for "malicious script in filename" do |allowed:|
+      context "with malicious script in filename" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            ```js:test<script>alert(1)</script>
+            1
+            ```
+          EOS
+        end
+        if allowed
+          it "does not sanitize script element" do
+            should eq <<-EOS.strip_heredoc
+              <div class="code-frame" data-lang="js">
+              <div class="code-lang"><span class="bold">test<script>alert(1)</script></span></div>
+              <div class="highlight"><pre><span></span><span class="mi">1</span>
+              </pre></div>
+              </div>
+            EOS
+          end
+        else
+          it "sanitizes script element" do
+            should eq <<-EOS.strip_heredoc
+              <div class="code-frame" data-lang="js">
+              <div class="code-lang"><span class="bold">test</span></div>
+              <div class="highlight"><pre><span></span><span class="mi">1</span>
+              </pre></div>
+              </div>
+            EOS
+          end
+        end
       end
     end
-    context "with external URL which ends with the hostname parameter" do
-      let(:markdown) do
-        "http://qqqqqqiita.com/?a=b"
-      end
+    shared_examples_for "iframe element" do |allowed:|
+      context "with iframe" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <iframe width="1" height="2" src="//example.com" frameborder="0" allowfullscreen></iframe>
+          EOS
+        end
-      let(:context) do
-        { hostname: "qiita.com" }
+        if allowed
+          it "allows iframe with some attributes" do
+            should eq markdown
+          end
+        else
+          it "sanitizes iframe element" do
+            should eq "\n"
+          end
+        end
       end
+    end
+    shared_examples_for "data-attributes" do |allowed:|
+      context "with data-attributes" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <div data-a="b"></div>
+          EOS
+        end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://qqqqqqiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
-          "http://qqqqqqiita.com/?a=b</a></p>\n"
-        )
+        if allowed
+          it "does not sanitize data-attributes" do
+            should eq <<-EOS.strip_heredoc
+              <div data-a="b"></div>
+            EOS
+          end
+        else
+          it "sanitizes data-attributes" do
+            should eq <<-EOS.strip_heredoc
+              <div></div>
+            EOS
+          end
+        end
       end
     end
-    context "with external anchor tag which ends with the hostname parameter" do
-      let(:markdown) do
-        '<a href="http://qqqqqqiita.com/?a=b">foobar</a>'
-      end
+    shared_examples_for "class attribute" do |allowed:|
+      context "with class attribute for general tags" do
+        let(:markdown) do
+          '<i class="fa fa-user"></i>user'
+        end
-      let(:context) do
-        { hostname: "qiita.com" }
+        if allowed
+          it "does not sanitize the attribute" do
+            should eq "<p><i class=\"fa fa-user\"></i>user</p>\n"
+          end
+        else
+          it "sanitizes the attribute" do
+            should eq "<p><i></i>user</p>\n"
+          end
+        end
       end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          "<p><a href=\"http://qqqqqqiita.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
-        )
+      context "with class attribute for <a> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <a href="foo" class="malicious-class">foo</a>
+            http://qiita.com/
+          EOS
+        end
+        if allowed
+          it "does not sanitize the classes" do
+            should eq <<-EOS.strip_heredoc
+              <p><a href="foo" class="malicious-class">foo</a><br>
+              <a href="http://qiita.com/" class="autolink" rel="nofollow noopener" target="_blank">http://qiita.com/</a></p>
+            EOS
+          end
+        else
+          it "sanitizes classes except `autolink`" do
+            should eq <<-EOS.strip_heredoc
+              <p><a href="foo" class="">foo</a><br>
+              <a href="http://qiita.com/" class="autolink" rel="nofollow noopener" target="_blank">http://qiita.com/</a></p>
+            EOS
+          end
+        end
       end
     end
-    context "with sub-domain URL of hostname parameter" do
-      let(:markdown) do
-        "http://sub.qiita.com/?a=b"
+    context "without script and strict context" do
+      let(:context) do
+        super().merge(script: false, strict: false)
       end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: false
+      include_examples "malicious script in filename", allowed: false
+      include_examples "iframe element", allowed: false
+      include_examples "data-attributes", allowed: false
+      include_examples "class attribute", allowed: true
+    end
+    context "with script context" do
       let(:context) do
-        { hostname: "qiita.com" }
+        super().merge(script: true, strict: false)
       end
-      it "creates link which has rel='nofollow noopener' and target='_blank'" do
-        should eq(
-          '<p><a href="http://sub.qiita.com/?a=b" class="autolink" rel="nofollow noopener" target="_blank">' \
-          "http://sub.qiita.com/?a=b</a></p>\n"
-        )
-      end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: true
+      include_examples "malicious script in filename", allowed: true
+      include_examples "iframe element", allowed: true
+      include_examples "data-attributes", allowed: true
+      include_examples "class attribute", allowed: true
     end
-    context "with external anchor tag which has rel attribute" do
-      let(:markdown) do
-        '<a href="http://external.com/?a=b" rel="url">foobar</a>'
+    context "with strict context" do
+      let(:context) do
+        super().merge(script: false, strict: true)
       end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: false
+      include_examples "malicious script in filename", allowed: false
+      include_examples "iframe element", allowed: false
+      include_examples "data-attributes", allowed: false
+      include_examples "class attribute", allowed: false
+    end
+    context "with script and strict context" do
       let(:context) do
-        { hostname: "qiita.com" }
+        super().merge(script: true, strict: true)
       end
-      it "creates link which has rel='nofollow noopener' and target='_blank', and rel value is overwritten" do
-        should eq(
-          "<p><a href=\"http://external.com/?a=b\" rel=\"nofollow noopener\" target=\"_blank\">foobar</a></p>\n"
-        )
-      end
+      include_examples "basic markdown syntax"
+      include_examples "script element", allowed: false
+      include_examples "malicious script in filename", allowed: true
+      include_examples "iframe element", allowed: false
+      include_examples "data-attributes", allowed: false
+      include_examples "class attribute", allowed: false
     end
   end
 end