qiita-markdown 0.20.0 → 0.20.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of qiita-markdown might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/qiita/markdown/filters/user_input_sanitizer.rb +1 -1
  4. data/lib/qiita/markdown/version.rb +1 -1
  5. data/spec/qiita/markdown/processor_spec.rb +24 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: da128a043af30b7150fe3a7cfd4e498206287f4f
4
- data.tar.gz: f1c24db2c52521cb1929480e94ac6c1e710fb325
3
+ metadata.gz: 28a5b7b0575729c0e1ee9badeed314471aceb1c4
4
+ data.tar.gz: 580ab1d79419424502c77fad83427f5e8384e5cb
5
5
  SHA512:
6
- metadata.gz: 26463d11cd37164156db324205e26e827bee86f060900641659d6ba106394552334408f82f896c2631ee6cc0ccb2b784d736ac57cfe0edf7a662155c2d73e7ef
7
- data.tar.gz: feb783906656c3c7173ad19f3b92033d3e7fcdfe38d1d5842f22436cca6af693218ee372d7b2adb02a9a584759af513b62326f894d55ddc92f5325cc7ffd8725
6
+ metadata.gz: 52b5622f03f628a693e75f54db193dfb98a9debb16ffe91b11bf4b22aecbadee373093d9287b06a02e64a1e620dbdeb4116b3f303aa647546bd832e8e3271410
7
+ data.tar.gz: 69e71477b6a063f6e82482bedd333a49fd1d1206736620cdc98acd89a8d9cfe3c1634bffc4ba1270717b7064cbb1247508d8aa55679f3f9980cd3426cec007f8
data/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  ## Unreleased
2
2
 
3
+ ## 0.20.1
4
+
5
+ - Fix to sanitize `<input>` which was unexpectedly permitted
6
+
3
7
  ## 0.20.0
4
8
 
5
9
  - Allow `<blockquote class="twitter-tweet">`
data/lib/qiita/markdown/filters/user_input_sanitizer.rb CHANGED
@@ -61,7 +61,7 @@ module Qiita
61
61
  RULE = {
62
62
  elements: %w[
63
63
  a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
64
- hr i img input ins kbd li ol p pre q rp rt ruby s samp strike strong sub
64
+ hr i img ins kbd li ol p pre q rp rt ruby s samp strike strong sub
65
65
  summary sup table tbody td tfoot th thead tr ul var
66
66
  ],
67
67
  attributes: {
data/lib/qiita/markdown/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Qiita
2
2
  module Markdown
3
- VERSION = "0.20.0"
3
+ VERSION = "0.20.1"
4
4
  end
5
5
  end
data/spec/qiita/markdown/processor_spec.rb CHANGED
@@ -1059,6 +1059,26 @@ describe Qiita::Markdown::Processor do
1059
1059
  end
1060
1060
  end
1061
1061
 
1062
+ shared_examples_for "input element" do |allowed:|
1063
+ context "with input" do
1064
+ let(:markdown) do
1065
+ <<-EOS.strip_heredoc
1066
+ <input type="checkbox"> foo
1067
+ EOS
1068
+ end
1069
+
1070
+ if allowed
1071
+ it "allows input with some attributes" do
1072
+ should eq "<p><input type=\"checkbox\"> foo</p>\n"
1073
+ end
1074
+ else
1075
+ it "sanitizes input element" do
1076
+ should eq "<p> foo</p>\n"
1077
+ end
1078
+ end
1079
+ end
1080
+ end
1081
+
1062
1082
  shared_examples_for "data-attributes" do |allowed:|
1063
1083
  context "with data-attributes" do
1064
1084
  let(:markdown) do
@@ -1179,6 +1199,7 @@ describe Qiita::Markdown::Processor do
1179
1199
  include_examples "script element", allowed: false
1180
1200
  include_examples "malicious script in filename", allowed: false
1181
1201
  include_examples "iframe element", allowed: false
1202
+ include_examples "input element", allowed: true
1182
1203
  include_examples "data-attributes", allowed: false
1183
1204
  include_examples "class attribute", allowed: true
1184
1205
  end
@@ -1192,6 +1213,7 @@ describe Qiita::Markdown::Processor do
1192
1213
  include_examples "script element", allowed: true
1193
1214
  include_examples "malicious script in filename", allowed: true
1194
1215
  include_examples "iframe element", allowed: true
1216
+ include_examples "input element", allowed: true
1195
1217
  include_examples "data-attributes", allowed: true
1196
1218
  include_examples "class attribute", allowed: true
1197
1219
  end
@@ -1205,6 +1227,7 @@ describe Qiita::Markdown::Processor do
1205
1227
  include_examples "script element", allowed: false
1206
1228
  include_examples "malicious script in filename", allowed: false
1207
1229
  include_examples "iframe element", allowed: false
1230
+ include_examples "input element", allowed: false
1208
1231
  include_examples "data-attributes", allowed: false
1209
1232
  include_examples "class attribute", allowed: false
1210
1233
  end
@@ -1218,6 +1241,7 @@ describe Qiita::Markdown::Processor do
1218
1241
  include_examples "script element", allowed: false
1219
1242
  include_examples "malicious script in filename", allowed: true
1220
1243
  include_examples "iframe element", allowed: false
1244
+ include_examples "input element", allowed: false
1221
1245
  include_examples "data-attributes", allowed: false
1222
1246
  include_examples "class attribute", allowed: false
1223
1247
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: qiita-markdown
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.20.0
4
+ version: 0.20.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryo Nakamura
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-19 00:00:00.000000000 Z
11
+ date: 2017-06-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: gemoji