qiita-markdown 0.27.0 → 0.32.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5daef53080035aaeb3d6330fd29a92c62edfb4daf432c62f4617f2683682ab1
-  data.tar.gz: 8bd27e4fb3b789cbbe98ca99dd987277091f262509d4a596996942ead45ae9ca
+  metadata.gz: 1e3469d19ed195eb7a7ccdeeedaa1503154a262893c882768834c8636fad0ae7
+  data.tar.gz: 3b9fec449730dcf1f19ec3d84247a7b1d89e1f785e9b52eace389cedfb9045c3
 SHA512:
-  metadata.gz: f38d622bdfcec12a795998a31b9dec566583542837024bb9ad6c0c88531b16b759774966ad0925d03d06f3c58de9d81192b074c6ed82c57b26caa7c5a7b93332
-  data.tar.gz: 4c22a80c6be7cb94ee7cc5e1a3966a788aae38f6e72e0784a42678d472cc1081dbd626f89d98250fea91e4000081fc949334d276b09869896cca4b005155e51b
+  metadata.gz: cab8938cb167a8c41d6b68478f562f87e5c06a6f412c4f4e0b12c9450cb7506c380eb9ab7ef3ae73eca991d50bbb1da8d5d3e5da4a0e7fdece14ebea15053e1f
+  data.tar.gz: 5e74b4610be3b012d1cd381ecc5e3efc41f581da095ae3a6d5836dc3b62297c7d7deac6d0e93d1c32d84385baea699bfff6f804e1f5924539b3468703d01cd94

data/CHANGELOG.md

@@ -1,5 +1,31 @@
 ## Unreleased
 
+## 0.32.0
+
+- Fixed XSS possibility bug
+- Fix iframe width to be fixed at 100%
+
+## 0.31.0
+
+- Use greenmat 3.5.1.1
+
+## 0.30.0
+
+- Use greenmat 3.5.1.0
+
+## 0.29.0
+
+- Accept new embeded script and iframes
+    - Gist
+    - Youtube
+    - SlideShare
+    - SpeekerDeck
+    - GoogleSlide
+
+## 0.28.0
+
+- Accept new codepen script url (cpwebassets.codepen.io)
+
 ## 0.27.0
 
 - Support embed Asciinema

data/lib/qiita/markdown.rb

@@ -10,8 +10,14 @@ require "sanitize"
 require "qiita/markdown/embed/code_pen"
 require "qiita/markdown/embed/tweet"
 require "qiita/markdown/embed/asciinema"
+require "qiita/markdown/embed/gist"
+require "qiita/markdown/embed/youtube"
+require "qiita/markdown/embed/slide_share"
+require "qiita/markdown/embed/google_slide"
+require "qiita/markdown/embed/speeker_deck"
 require "qiita/markdown/transformers/filter_attributes"
 require "qiita/markdown/transformers/filter_script"
+require "qiita/markdown/transformers/filter_iframe"
 require "qiita/markdown/transformers/strip_invalid_node"
 require "qiita/markdown/filters/checkbox"
 require "qiita/markdown/filters/code_block"

data/lib/qiita/markdown/embed/code_pen.rb

@@ -5,6 +5,7 @@ module Qiita
         SCRIPT_URLS = [
           "https://production-assets.codepen.io/assets/embed/ei.js",
           "https://static.codepen.io/assets/embed/ei.js",
+          "https://cpwebassets.codepen.io/assets/embed/ei.js",
         ]
         CLASS_NAME = %w[codepen]
         DATA_ATTRIBUTES = %w[

data/lib/qiita/markdown/embed/gist.rb

@@ -0,0 +1,9 @@
+module Qiita
+  module Markdown
+    module Embed
+      module Gist
+        SCRIPT_HOST = "gist.github.com".freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/google_slide.rb

@@ -0,0 +1,9 @@
+module Qiita
+  module Markdown
+    module Embed
+      module GoogleSlide
+        SCRIPT_HOST = "docs.google.com".freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/slide_share.rb

@@ -0,0 +1,9 @@
+module Qiita
+  module Markdown
+    module Embed
+      module SlideShare
+        SCRIPT_HOST = "www.slideshare.net".freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/speeker_deck.rb

@@ -0,0 +1,16 @@
+module Qiita
+  module Markdown
+    module Embed
+      module SpeekerDeck
+        SCRIPT_URLS = [
+          "//speakerdeck.com/assets/embed.js",
+        ].freeze
+        CLASS_NAME = %w[speakerdeck-embed].freeze
+        DATA_ATTRIBUTES = %w[
+          data-id data-ratio
+        ].freeze
+        ATTRIBUTES = %w[class] + DATA_ATTRIBUTES
+      end
+    end
+  end
+end

data/lib/qiita/markdown/embed/youtube.rb

@@ -0,0 +1,12 @@
+module Qiita
+  module Markdown
+    module Embed
+      module Youtube
+        SCRIPT_HOSTS = [
+          "www.youtube-nocookie.com",
+          "www.youtube.com",
+        ].freeze
+      end
+    end
+  end
+end

data/lib/qiita/markdown/filters/final_sanitizer.rb

@@ -47,7 +47,9 @@ module Qiita
               "async",
               "src",
               "type",
-            ],
+            ].concat(
+              Embed::SpeekerDeck::ATTRIBUTES,
+            ),
             "span" => [
               "style",
             ],
@@ -137,6 +139,7 @@ module Qiita
             "s",
             "samp",
             "script",
+            "iframe",
             "span",
             "strike",
             "strong",
@@ -186,14 +189,15 @@ module Qiita
           transformers: [
             Transformers::StripInvalidNode,
             Transformers::FilterScript,
+            Transformers::FilterIframe,
           ],
         }.freeze
 
         SCRIPTABLE_RULE = RULE.dup.tap do |rule|
           rule[:attributes] = RULE[:attributes].dup
           rule[:attributes][:all] = rule[:attributes][:all] + [:data]
-          rule[:elements] = RULE[:elements] + ["iframe", "video"]
-          rule[:transformers] = rule[:transformers] - [Transformers::FilterScript]
+          rule[:elements] = RULE[:elements] + ["video"]
+          rule[:transformers] = rule[:transformers] - [Transformers::FilterScript, Transformers::FilterIframe]
         end
 
         def call

data/lib/qiita/markdown/filters/user_input_sanitizer.rb

@@ -6,7 +6,7 @@ module Qiita
         RULE = {
           elements: %w[
             a b blockquote br code dd del details div dl dt em font h1 h2 h3 h4 h5 h6
-            hr i img ins kbd li ol p pre q rp rt ruby s samp script strike strong sub
+            hr i img ins kbd li ol p pre q rp rt ruby s samp script iframe strike strong sub
             summary sup table tbody td tfoot th thead tr ul var
           ],
           attributes: {
@@ -26,7 +26,18 @@ module Qiita
             "li"         => %w[id],
             "p"          => Embed::CodePen::ATTRIBUTES,
             "q"          => %w[cite],
-            "script"     => %w[async src id],
+            "script"     => %w[async src id].concat(Embed::SpeekerDeck::ATTRIBUTES),
+            "iframe"     => %w[
+              allowfullscreen
+              frameborder
+              height
+              marginheight
+              marginwidth
+              scrolling
+              src
+              style
+              width
+            ],
             "sup"        => %w[id],
             "td"         => %w[colspan rowspan style],
             "th"         => %w[colspan rowspan style],
@@ -42,6 +53,7 @@ module Qiita
           transformers: [
             Transformers::FilterAttributes,
             Transformers::FilterScript,
+            Transformers::FilterIframe,
           ],
         }.freeze
 

data/lib/qiita/markdown/transformers/filter_iframe.rb

@@ -0,0 +1,54 @@
+module Qiita
+  module Markdown
+    module Transformers
+      class FilterIframe
+        URL_WHITE_LIST = [
+        ].flatten.freeze
+
+        HOST_WHITE_LIST = [
+          Embed::Youtube::SCRIPT_HOSTS,
+          Embed::SlideShare::SCRIPT_HOST,
+          Embed::GoogleSlide::SCRIPT_HOST,
+        ].flatten.freeze
+
+        def self.call(*args)
+          new(*args).transform
+        end
+
+        def initialize(env)
+          @env = env
+        end
+
+        def transform
+          if name == "iframe"
+            if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
+              node["width"] = "100%"
+              node.children.unlink
+            else
+              node.unlink
+            end
+          end
+        end
+
+        private
+
+        def name
+          @env[:node_name]
+        end
+
+        def node
+          @env[:node]
+        end
+
+        def host_of(url)
+          if url
+            port = URI.parse(url).port
+            Addressable::URI.parse(url).host if [443, 80].include? port
+          end
+        rescue Addressable::URI::InvalidURIError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/qiita/markdown/transformers/filter_script.rb

@@ -5,10 +5,12 @@ module Qiita
         URL_WHITE_LIST = [
           Embed::CodePen::SCRIPT_URLS,
           Embed::Tweet::SCRIPT_URL,
+          Embed::SpeekerDeck::SCRIPT_URLS,
         ].flatten.freeze
 
         HOST_WHITE_LIST = [
           Embed::Asciinema::SCRIPT_HOST,
+          Embed::Gist::SCRIPT_HOST,
         ].flatten.freeze
 
         def self.call(*args)
@@ -41,7 +43,10 @@ module Qiita
         end
 
         def host_of(url)
-          Addressable::URI.parse(url).host if url
+          if url
+            port = URI.parse(url).port
+            Addressable::URI.parse(url).host if [443, 80].include? port
+          end
         rescue Addressable::URI::InvalidURIError
           nil
         end

data/lib/qiita/markdown/version.rb

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.27.0"
+    VERSION = "0.32.0"
   end
 end

data/qiita-markdown.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "html-pipeline", "~> 2.0"
   spec.add_dependency "mem"
   spec.add_dependency "pygments.rb", "~> 1.0"
-  spec.add_dependency "greenmat", "3.2.2.4"
+  spec.add_dependency "greenmat", "3.5.1.1"
   spec.add_dependency "sanitize"
   spec.add_dependency "addressable"
   spec.add_development_dependency "activesupport", "4.2.6"

data/spec/qiita/markdown/processor_spec.rb

@@ -740,7 +740,7 @@ describe Qiita::Markdown::Processor do
 
         it "generates footnotes elements" do
           should eq <<-HTML.strip_heredoc
-            <p><sup id="fnref1"><a href="#fn1" rel="footnote" title="test">1</a></sup></p>
+            <p><sup id="fnref1"><a href="#fn1" title="test">1</a></sup></p>
 
             <div class="footnotes">
             <hr>
@@ -756,6 +756,25 @@ describe Qiita::Markdown::Processor do
         end
       end
 
+      context "with footenotes syntax with code block" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            ```
+            [^1]
+            [^1]: test
+            ```
+          MARKDOWN
+        end
+
+        it "generates only code blocks without footnotes" do
+          should eq <<-HTML.strip_heredoc
+            <div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>[^1]
+            [^1]: test
+            </pre></div></div>
+          HTML
+        end
+      end
+
       context "with manually written link inside of <sup> tag" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
@@ -1031,6 +1050,31 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with details tag" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <details><summary>Folding sample</summary><div>
+
+            ```rb
+            puts "Hello, World"
+            ```
+            </div></details>
+          MARKDOWN
+        end
+
+        it "returns HTML output parsed as markdown" do
+          expect(subject).to eq <<-HTML.strip_heredoc
+            <p><details><summary>Folding sample</summary><div>
+
+            <div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
+            </pre></div></div>
+
+            <p></p>
+            </div></details></p>
+          HTML
+        end
+      end
     end
 
     shared_examples_for "script element" do |allowed:|
@@ -1407,6 +1451,138 @@ describe Qiita::Markdown::Processor do
         end
       end
 
+      context "with HTML embed code for Gist" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script id="example" src="https://gist.github.com/a/example.js"></script>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <script id="example" src="https://gist.github.com/a/example.js"></script>
+            HTML
+          end
+        else
+          it "forces async attribute on script" do
+            should eq <<-HTML.strip_heredoc
+              <script id="example" src="https://gist.github.com/a/example.js" async="async"></script>
+            HTML
+          end
+        end
+      end
+
+      context "with HTML embed code for Youtube" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
+            HTML
+          end
+        end
+
+        context "when url is privacy enhanced mode" do
+          let(:markdown) do
+            <<-MARKDOWN.strip_heredoc
+              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+            MARKDOWN
+          end
+
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              HTML
+            end
+          end
+        end
+      end
+
+      context "with HTML embed code for SlideShare" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
+            HTML
+          end
+        end
+      end
+
+      context "with HTML embed code for GoogleSlide" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        else
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+            HTML
+          end
+        end
+      end
+
+      context "with HTML embed code for SpeekerDeck" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+        end
+
+        if allowed
+          it "does not sanitize embed code" do
+            should eq <<-HTML.strip_heredoc
+              <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+            HTML
+          end
+        else
+          it "forces async attribute on script" do
+            should eq <<-HTML.strip_heredoc
+              <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+            HTML
+          end
+        end
+      end
+
       context "with embed code for Tweet" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
@@ -1422,6 +1598,34 @@ describe Qiita::Markdown::Processor do
           HTML
         end
       end
+
+      context "with embed script code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
+          MARKDOWN
+
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
+
+      context "with embed iframe code with xss" do
+        let(:markdown) do
+          <<-MARKDOWN.strip_heredoc
+            <iframe src="javascript://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+          MARKDOWN
+
+          it "forces width attribute on iframe" do
+            should eq <<-HTML.strip_heredoc
+              \n
+            HTML
+          end
+        end
+      end
     end
 
     context "without script and strict context" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.27.0
+  version: 0.32.0
 platform: ruby
 authors:
 - Ryo Nakamura
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-16 00:00:00.000000000 Z
+date: 2021-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2.4
+        version: 3.5.1.1
 - !ruby/object:Gem::Dependency
   name: sanitize
   requirement: !ruby/object:Gem::Requirement
@@ -234,7 +234,7 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.49.1
-description: 
+description:
 email:
 - r7kamura@gmail.com
 executables: []
@@ -258,7 +258,12 @@ files:
 - lib/qiita/markdown/base_processor.rb
 - lib/qiita/markdown/embed/asciinema.rb
 - lib/qiita/markdown/embed/code_pen.rb
+- lib/qiita/markdown/embed/gist.rb
+- lib/qiita/markdown/embed/google_slide.rb
+- lib/qiita/markdown/embed/slide_share.rb
+- lib/qiita/markdown/embed/speeker_deck.rb
 - lib/qiita/markdown/embed/tweet.rb
+- lib/qiita/markdown/embed/youtube.rb
 - lib/qiita/markdown/filters/checkbox.rb
 - lib/qiita/markdown/filters/code_block.rb
 - lib/qiita/markdown/filters/emoji.rb
@@ -281,6 +286,7 @@ files:
 - lib/qiita/markdown/processor.rb
 - lib/qiita/markdown/summary_processor.rb
 - lib/qiita/markdown/transformers/filter_attributes.rb
+- lib/qiita/markdown/transformers/filter_iframe.rb
 - lib/qiita/markdown/transformers/filter_script.rb
 - lib/qiita/markdown/transformers/strip_invalid_node.rb
 - lib/qiita/markdown/version.rb
@@ -295,7 +301,7 @@ homepage: https://github.com/increments/qiita-markdown
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -310,9 +316,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Qiita-specified markdown processor.
 test_files: