qiita-markdown 0.21.0 → 0.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f4ebdec684801c23c2b2183ea2498383180d4382
-  data.tar.gz: ebaf06c2afa12f825f6b21a122e36705da59bf13
+  metadata.gz: ff3cf2974ec3776febf776a8509ea134b7e6b94d
+  data.tar.gz: 16d059b677b0cf622be0d3c85e4ad9e293ffcdef
 SHA512:
-  metadata.gz: e237616c63dfb7d0a6f332c4b8327afcf39bfa3ea285767890efb49fcb43ffa1b7563b8943248fd5f8948abc4875d462c3382268f53b27214bd6e2d42a318dcb
-  data.tar.gz: 7c7d5e9a117e28d883ec45c2e7cab9dba35b39ad468ca16a372f7403a6b2f9c74fd74b2e151f42e1b497d525701a46c6c224e46a548fb481ccc7374f54473fe6
+  metadata.gz: ab3e0be1351d8872fc3cc8d75502a3f8bd95f24a9870af84c164676b52e84f0ee34a72f7321db28c3889d133d167ec14c1ef32d0de9da3a918b0f4cdc4c43496
+  data.tar.gz: b91800c0d2282cc001d7fa9df45f1688f721c47d82ab5a01b62e656a10f2ccb7d8a18901076261bbc0ef88945ba87f042fd9cc54001b2638def2ebbfa83fe47e

data/.rubocop_todo.yml

@@ -57,6 +57,7 @@ Style/MutableConstant:
     - 'lib/qiita/markdown/filters/sanitize.rb'
     - 'lib/qiita/markdown/filters/simplify.rb'
     - 'lib/qiita/markdown/filters/syntax_highlight.rb'
+    - 'lib/qiita/markdown/code_pen.rb'
     - 'lib/qiita/markdown/processor.rb'
     - 'lib/qiita/markdown/summary_processor.rb'
     - 'lib/qiita/markdown/version.rb'

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Unreleased
 
+## 0.22.0
+
+- Support embed CodePen
+
 ## 0.21.0
 
 - Rename `Code` to `CodeBlock`

data/lib/qiita/markdown.rb

@@ -7,6 +7,10 @@ require "nokogiri"
 require "pygments"
 require "sanitize"
 
+require "qiita/markdown/code_pen"
+require "qiita/markdown/transformers/filter_attributes"
+require "qiita/markdown/transformers/filter_script"
+require "qiita/markdown/transformers/strip_invalid_node"
 require "qiita/markdown/filters/checkbox"
 require "qiita/markdown/filters/code_block"
 require "qiita/markdown/filters/emoji"

data/lib/qiita/markdown/code_pen.rb

@@ -0,0 +1,8 @@
+module Qiita
+  module Markdown
+    module CodePen
+      SCRIPT_URL = "https://production-assets.codepen.io/assets/embed/ei.js"
+      ATTRIBUTES = %w[class data-embed-version data-slug-hash]
+    end
+  end
+end

data/lib/qiita/markdown/filters/final_sanitizer.rb

@@ -10,45 +10,6 @@ module Qiita
       #
       # @see Qiita::Markdown::Filters::UserInputSanitizerr
       class FinalSanitizer < HTML::Pipeline::Filter
-        # Wraps a node env to transform invalid node.
-        class TransformableNode
-          def self.call(*args)
-            new(*args).transform
-          end
-
-          def initialize(env)
-            @env = env
-          end
-
-          def transform
-            if has_invalid_list_node? || has_invalid_table_node?
-              node.replace(node.children)
-            end
-          end
-
-          private
-
-          def has_invalid_list_node?
-            name == "li" && node.ancestors.none? do |ancestor|
-              %w[ol ul].include?(ancestor.name)
-            end
-          end
-
-          def has_invalid_table_node?
-            %w[thead tbody tfoot tr td th].include?(name) && node.ancestors.none? do |ancestor|
-              ancestor.name == "table"
-            end
-          end
-
-          def name
-            @env[:node_name]
-          end
-
-          def node
-            @env[:node]
-          end
-        end
-
         RULE = {
           attributes: {
             "a" => [
@@ -80,6 +41,7 @@ module Qiita
               "itemscope",
               "itemtype",
             ],
+            "p" => CodePen::ATTRIBUTES,
             "script" => [
               "async",
               "src",
@@ -173,6 +135,7 @@ module Qiita
             "ruby",
             "s",
             "samp",
+            "script",
             "span",
             "strike",
             "strong",
@@ -219,17 +182,17 @@ module Qiita
               ],
             },
           },
-          remove_contents: [
-            "script",
+          transformers: [
+            Transformers::StripInvalidNode,
+            Transformers::FilterScript,
           ],
-          transformers: TransformableNode,
         }.freeze
 
         SCRIPTABLE_RULE = RULE.dup.tap do |rule|
           rule[:attributes] = RULE[:attributes].dup
           rule[:attributes][:all] = rule[:attributes][:all] + [:data]
           rule[:elements] = RULE[:elements] + ["iframe", "script", "video"]
-          rule[:remove_contents] = []
+          rule[:transformers] = rule[:transformers] - [Transformers::FilterScript]
         end
 
         def call

data/lib/qiita/markdown/filters/user_input_sanitizer.rb

@@ -3,65 +3,10 @@ module Qiita
     module Filters
       # Sanitizes user input if :strict context is given.
       class UserInputSanitizer < HTML::Pipeline::Filter
-        class AttributeFilter
-          FILTERS = {
-            "a" => {
-              "class" => %w[autolink],
-              "rel" => %w[footnote url],
-              "rev" => %w[footnote],
-            },
-            "blockquote" => {
-              "class" => %w[twitter-tweet],
-            },
-            "div" => {
-              "class" => %w[footnotes],
-            },
-            "sup" => {
-              "id" => /\Afnref\d+\z/,
-            },
-            "li" => {
-              "id" => /\Afn\d+\z/,
-            },
-          }.freeze
-
-          DELIMITER = " ".freeze
-
-          def self.call(*args)
-            new(*args).transform
-          end
-
-          def initialize(env)
-            @env = env
-          end
-
-          def transform
-            return unless FILTERS.key?(name)
-            FILTERS[name].each_pair do |attr, pattern|
-              filter_attribute(attr, pattern) if node.attributes.key?(attr)
-            end
-          end
-
-          private
-
-          def filter_attribute(attr, pattern)
-            node[attr] = node[attr].split(DELIMITER).select do |value|
-              pattern.is_a?(Array) ? pattern.include?(value) : (pattern =~ value)
-            end.join(DELIMITER)
-          end
-
-          def name
-            @env[:node_name]
-          end
-
-          def node
-            @env[:node]
-          end
-        end
-
         RULE = {
           elements: %w[
             a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
-            hr i img ins kbd li ol p pre q rp rt ruby s samp strike strong sub
+            hr i img ins kbd li ol p pre q rp rt ruby s samp script strike strong sub
             summary sup table tbody td tfoot th thead tr ul var
           ],
           attributes: {
@@ -79,7 +24,9 @@ module Qiita
             "img"        => %w[alt height src title width],
             "ins"        => %w[cite datetime],
             "li"         => %w[id],
+            "p"          => CodePen::ATTRIBUTES,
             "q"          => %w[cite],
+            "script"     => %w[async src],
             "sup"        => %w[id],
             "td"         => %w[colspan rowspan style],
             "th"         => %w[colspan rowspan style],
@@ -92,10 +39,10 @@ module Qiita
           css: {
             properties: %w[text-align],
           },
-          remove_contents: %w[
-            script
+          transformers: [
+            Transformers::FilterAttributes,
+            Transformers::FilterScript,
           ],
-          transformers: AttributeFilter,
         }.freeze
 
         def call

data/lib/qiita/markdown/transformers/filter_attributes.rb

@@ -0,0 +1,63 @@
+module Qiita
+  module Markdown
+    module Transformers
+      class FilterAttributes
+        FILTERS = {
+          "a" => {
+            "class" => %w[autolink],
+            "rel" => %w[footnote url],
+            "rev" => %w[footnote],
+          },
+          "blockquote" => {
+            "class" => %w[twitter-tweet],
+          },
+          "div" => {
+            "class" => %w[footnotes],
+          },
+          "p" => {
+            "class" => %w[codepen],
+          },
+          "sup" => {
+            "id" => /\Afnref\d+\z/,
+          },
+          "li" => {
+            "id" => /\Afn\d+\z/,
+          },
+        }.freeze
+
+        DELIMITER = " ".freeze
+
+        def self.call(*args)
+          new(*args).transform
+        end
+
+        def initialize(env)
+          @env = env
+        end
+
+        def transform
+          return unless FILTERS.key?(name)
+          FILTERS[name].each_pair do |attr, pattern|
+            filter_attribute(attr, pattern) if node.attributes.key?(attr)
+          end
+        end
+
+        private
+
+        def filter_attribute(attr, pattern)
+          node[attr] = node[attr].split(DELIMITER).select do |value|
+            pattern.is_a?(Array) ? pattern.include?(value) : (pattern =~ value)
+          end.join(DELIMITER)
+        end
+
+        def name
+          @env[:node_name]
+        end
+
+        def node
+          @env[:node]
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/transformers/filter_script.rb

@@ -0,0 +1,40 @@
+module Qiita
+  module Markdown
+    module Transformers
+      class FilterScript
+        WHITE_LIST = [
+          CodePen::SCRIPT_URL,
+        ].freeze
+
+        def self.call(*args)
+          new(*args).transform
+        end
+
+        def initialize(env)
+          @env = env
+        end
+
+        def transform
+          if name == "script"
+            if WHITE_LIST.include?(node["src"])
+              node["async"] = "async" unless node.attributes.key?("async")
+              node.children.unlink
+            else
+              node.unlink
+            end
+          end
+        end
+
+        private
+
+        def name
+          @env[:node_name]
+        end
+
+        def node
+          @env[:node]
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/transformers/strip_invalid_node.rb

@@ -0,0 +1,44 @@
+module Qiita
+  module Markdown
+    module Transformers
+      # Wraps a node env to transform invalid node.
+      class StripInvalidNode
+        def self.call(*args)
+          new(*args).transform
+        end
+
+        def initialize(env)
+          @env = env
+        end
+
+        def transform
+          if has_invalid_list_node? || has_invalid_table_node?
+            node.replace(node.children)
+          end
+        end
+
+        private
+
+        def has_invalid_list_node?
+          name == "li" && node.ancestors.none? do |ancestor|
+            %w[ol ul].include?(ancestor.name)
+          end
+        end
+
+        def has_invalid_table_node?
+          %w[thead tbody tfoot tr td th].include?(name) && node.ancestors.none? do |ancestor|
+            ancestor.name == "table"
+          end
+        end
+
+        def name
+          @env[:node_name]
+        end
+
+        def node
+          @env[:node]
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/version.rb

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.21.0"
+    VERSION = "0.22.0"
   end
 end

data/spec/qiita/markdown/processor_spec.rb

@@ -1140,7 +1140,7 @@ describe Qiita::Markdown::Processor do
     end
 
     shared_examples_for "data-attributes" do |allowed:|
-      context "with data-attributes" do
+      context "with data-attributes for general tags" do
         let(:markdown) do
           <<-EOS.strip_heredoc
             <div data-a="b"></div>
@@ -1161,6 +1161,28 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with data-attributes for <p> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <p data-slug-hash="a" data-malicious="b"></p>
+          EOS
+        end
+
+        if allowed
+          it "does not sanitize data-attributes" do
+            should eq <<-EOS.strip_heredoc
+              <p data-slug-hash="a" data-malicious="b"></p>
+            EOS
+          end
+        else
+          it "sanitizes data-attributes except the attributes used by codepen" do
+            should eq <<-EOS.strip_heredoc
+              <p data-slug-hash="a"></p>
+            EOS
+          end
+        end
+      end
     end
 
     shared_examples_for "class attribute" do |allowed:|
@@ -1248,6 +1270,28 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with class attribute for <p> tag" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <p class="codepen malicious-class">foo</p>
+          EOS
+        end
+
+        if allowed
+          it "does not sanitize the classes" do
+            should eq <<-EOS.strip_heredoc
+              <p class="codepen malicious-class">foo</p>
+            EOS
+          end
+        else
+          it "sanitizes classes except `codepen`" do
+            should eq <<-EOS.strip_heredoc
+              <p class="codepen">foo</p>
+            EOS
+          end
+        end
+      end
     end
 
     shared_examples_for "background-color" do |allowed:|
@@ -1268,6 +1312,33 @@ describe Qiita::Markdown::Processor do
       end
     end
 
+    shared_examples_for "override codepen attributes" do |allowed:|
+      context "with HTML embed code for CodePen" do
+        let(:markdown) do
+          <<-EOS.strip_heredoc
+            <p data-height="1" data-theme-id="0" data-slug-hash="foo" data-default-tab="bar" data-user="baz" data-embed-version="2" data-pen-title="qux" class="codepen"></p>
+            <script src="https://production-assets.codepen.io/assets/embed/ei.js"></script>
+          EOS
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-EOS.strip_heredoc
+              <p data-height="1" data-theme-id="0" data-slug-hash="foo" data-default-tab="bar" data-user="baz" data-embed-version="2" data-pen-title="qux" class="codepen"></p>\n
+              <script src="https://production-assets.codepen.io/assets/embed/ei.js"></script>
+            EOS
+          end
+        else
+          it "sanitizes data-attributes except the minimum attributes and force async attribute" do
+            should eq <<-EOS.strip_heredoc
+              <p data-slug-hash="foo" data-embed-version="2" class="codepen"></p>\n
+              <script src="https://production-assets.codepen.io/assets/embed/ei.js" async="async"></script>
+            EOS
+          end
+        end
+      end
+    end
+
     context "without script and strict context" do
       let(:context) do
         super().merge(script: false, strict: false)
@@ -1281,6 +1352,7 @@ describe Qiita::Markdown::Processor do
       include_examples "data-attributes", allowed: false
       include_examples "class attribute", allowed: true
       include_examples "background-color", allowed: true
+      include_examples "override codepen attributes", allowed: false
     end
 
     context "with script context" do
@@ -1296,6 +1368,7 @@ describe Qiita::Markdown::Processor do
       include_examples "data-attributes", allowed: true
       include_examples "class attribute", allowed: true
       include_examples "background-color", allowed: true
+      include_examples "override codepen attributes", allowed: true
     end
 
     context "with strict context" do
@@ -1311,6 +1384,7 @@ describe Qiita::Markdown::Processor do
       include_examples "data-attributes", allowed: false
       include_examples "class attribute", allowed: false
       include_examples "background-color", allowed: false
+      include_examples "override codepen attributes", allowed: false
     end
 
     context "with script and strict context" do
@@ -1326,6 +1400,7 @@ describe Qiita::Markdown::Processor do
       include_examples "data-attributes", allowed: false
       include_examples "class attribute", allowed: false
       include_examples "background-color", allowed: false
+      include_examples "override codepen attributes", allowed: false
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.21.0
+  version: 0.22.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-13 00:00:00.000000000 Z
+date: 2017-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji
@@ -256,6 +256,7 @@ files:
 - lib/qiita-markdown.rb
 - lib/qiita/markdown.rb
 - lib/qiita/markdown/base_processor.rb
+- lib/qiita/markdown/code_pen.rb
 - lib/qiita/markdown/filters/checkbox.rb
 - lib/qiita/markdown/filters/code_block.rb
 - lib/qiita/markdown/filters/emoji.rb
@@ -277,6 +278,9 @@ files:
 - lib/qiita/markdown/greenmat/html_toc_renderer.rb
 - lib/qiita/markdown/processor.rb
 - lib/qiita/markdown/summary_processor.rb
+- lib/qiita/markdown/transformers/filter_attributes.rb
+- lib/qiita/markdown/transformers/filter_script.rb
+- lib/qiita/markdown/transformers/strip_invalid_node.rb
 - lib/qiita/markdown/version.rb
 - qiita-markdown.gemspec
 - spec/qiita/markdown/filters/greenmat_spec.rb