qiita-markdown 0.20.0 → 0.20.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of qiita-markdown might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/qiita/markdown/filters/user_input_sanitizer.rb +1 -1
  4. data/lib/qiita/markdown/version.rb +1 -1
  5. data/spec/qiita/markdown/processor_spec.rb +24 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: da128a043af30b7150fe3a7cfd4e498206287f4f
4
- data.tar.gz: f1c24db2c52521cb1929480e94ac6c1e710fb325
3
+ metadata.gz: 28a5b7b0575729c0e1ee9badeed314471aceb1c4
4
+ data.tar.gz: 580ab1d79419424502c77fad83427f5e8384e5cb
5
5
  SHA512:
6
- metadata.gz: 26463d11cd37164156db324205e26e827bee86f060900641659d6ba106394552334408f82f896c2631ee6cc0ccb2b784d736ac57cfe0edf7a662155c2d73e7ef
7
- data.tar.gz: feb783906656c3c7173ad19f3b92033d3e7fcdfe38d1d5842f22436cca6af693218ee372d7b2adb02a9a584759af513b62326f894d55ddc92f5325cc7ffd8725
6
+ metadata.gz: 52b5622f03f628a693e75f54db193dfb98a9debb16ffe91b11bf4b22aecbadee373093d9287b06a02e64a1e620dbdeb4116b3f303aa647546bd832e8e3271410
7
+ data.tar.gz: 69e71477b6a063f6e82482bedd333a49fd1d1206736620cdc98acd89a8d9cfe3c1634bffc4ba1270717b7064cbb1247508d8aa55679f3f9980cd3426cec007f8
data/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  ## Unreleased
2
2
 
3
+ ## 0.20.1
4
+
5
+ - Fix to sanitize `<input>` which was unexpectedly permitted
6
+
3
7
  ## 0.20.0
4
8
 
5
9
  - Allow `<blockquote class="twitter-tweet">`
data/lib/qiita/markdown/filters/user_input_sanitizer.rb CHANGED
@@ -61,7 +61,7 @@ module Qiita
61
61
  RULE = {
62
62
  elements: %w[
63
63
  a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
64
- hr i img input ins kbd li ol p pre q rp rt ruby s samp strike strong sub
64
+ hr i img ins kbd li ol p pre q rp rt ruby s samp strike strong sub
65
65
  summary sup table tbody td tfoot th thead tr ul var
66
66
  ],
67
67
  attributes: {
data/lib/qiita/markdown/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Qiita
2
2
  module Markdown
3
- VERSION = "0.20.0"
3
+ VERSION = "0.20.1"
4
4
  end
5
5
  end
data/spec/qiita/markdown/processor_spec.rb CHANGED
@@ -1059,6 +1059,26 @@ describe Qiita::Markdown::Processor do
1059
1059
  end
1060
1060
  end
1061
1061
 
1062
+ shared_examples_for "input element" do |allowed:|
1063
+ context "with input" do
1064
+ let(:markdown) do
1065
+ <<-EOS.strip_heredoc
1066
+ <input type="checkbox"> foo
1067
+ EOS
1068
+ end
1069
+
1070
+ if allowed
1071
+ it "allows input with some attributes" do
1072
+ should eq "<p><input type=\"checkbox\"> foo</p>\n"
1073
+ end
1074
+ else
1075
+ it "sanitizes input element" do
1076
+ should eq "<p> foo</p>\n"
1077
+ end
1078
+ end
1079
+ end
1080
+ end
1081
+
1062
1082
  shared_examples_for "data-attributes" do |allowed:|
1063
1083
  context "with data-attributes" do
1064
1084
  let(:markdown) do
@@ -1179,6 +1199,7 @@ describe Qiita::Markdown::Processor do
1179
1199
  include_examples "script element", allowed: false
1180
1200
  include_examples "malicious script in filename", allowed: false
1181
1201
  include_examples "iframe element", allowed: false
1202
+ include_examples "input element", allowed: true
1182
1203
  include_examples "data-attributes", allowed: false
1183
1204
  include_examples "class attribute", allowed: true
1184
1205
  end
@@ -1192,6 +1213,7 @@ describe Qiita::Markdown::Processor do
1192
1213
  include_examples "script element", allowed: true
1193
1214
  include_examples "malicious script in filename", allowed: true
1194
1215
  include_examples "iframe element", allowed: true
1216
+ include_examples "input element", allowed: true
1195
1217
  include_examples "data-attributes", allowed: true
1196
1218
  include_examples "class attribute", allowed: true
1197
1219
  end
@@ -1205,6 +1227,7 @@ describe Qiita::Markdown::Processor do
1205
1227
  include_examples "script element", allowed: false
1206
1228
  include_examples "malicious script in filename", allowed: false
1207
1229
  include_examples "iframe element", allowed: false
1230
+ include_examples "input element", allowed: false
1208
1231
  include_examples "data-attributes", allowed: false
1209
1232
  include_examples "class attribute", allowed: false
1210
1233
  end
@@ -1218,6 +1241,7 @@ describe Qiita::Markdown::Processor do
1218
1241
  include_examples "script element", allowed: false
1219
1242
  include_examples "malicious script in filename", allowed: true
1220
1243
  include_examples "iframe element", allowed: false
1244
+ include_examples "input element", allowed: false
1221
1245
  include_examples "data-attributes", allowed: false
1222
1246
  include_examples "class attribute", allowed: false
1223
1247
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: qiita-markdown
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.20.0
4
+ version: 0.20.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryo Nakamura
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-19 00:00:00.000000000 Z
11
+ date: 2017-06-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: gemoji