qiita-markdown 0.29.0 → 0.34.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/lib/qiita/markdown.rb +0 -1
- data/lib/qiita/markdown/transformers/filter_iframe.rb +6 -2
- data/lib/qiita/markdown/transformers/filter_script.rb +5 -3
- data/lib/qiita/markdown/version.rb +1 -1
- data/qiita-markdown.gemspec +1 -1
- data/spec/qiita/markdown/processor_spec.rb +114 -32
- metadata +4 -5
- data/lib/qiita/markdown/embed/gist.rb +0 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 930ee5ee8bc770b95b918f3cfed4fdac57f133e9e69d0b21fff77cd2506a8fdc
|
4
|
+
data.tar.gz: 87f95cb871e08f94e1e03dd11a14ddd974ee24726b78ae3496bd3629e3b76959
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0ac7943de01ab9b05c990f6ec8abe64d37c780b186da66b30017129f014d7944aa60e437a9466033b2c801dd701fdf6564d30451bc2ece1d6551011ff44d814b
|
7
|
+
data.tar.gz: cb8bd175dcd7aec1685209eca0c51c396a80d686737267155d1815d98546f65d7fa5927cf525cb109ed777a5a92835239f59d46e70f246e8ddb1bd9b8f7ebac5
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,26 @@
|
|
1
1
|
## Unreleased
|
2
2
|
|
3
|
+
## 0.34.0
|
4
|
+
|
5
|
+
- Delete gist embed rule to avoid XSS
|
6
|
+
|
7
|
+
## 0.33.0
|
8
|
+
|
9
|
+
- Fix XSS possibility bug
|
10
|
+
|
11
|
+
## 0.32.0
|
12
|
+
|
13
|
+
- Fix XSS possibility bug
|
14
|
+
- Fix iframe width to be fixed at 100%
|
15
|
+
|
16
|
+
## 0.31.0
|
17
|
+
|
18
|
+
- Use greenmat 3.5.1.1
|
19
|
+
|
20
|
+
## 0.30.0
|
21
|
+
|
22
|
+
- Use greenmat 3.5.1.0
|
23
|
+
|
3
24
|
## 0.29.0
|
4
25
|
|
5
26
|
- Accept new embeded script and iframes
|
data/lib/qiita/markdown.rb
CHANGED
@@ -10,7 +10,6 @@ require "sanitize"
|
|
10
10
|
require "qiita/markdown/embed/code_pen"
|
11
11
|
require "qiita/markdown/embed/tweet"
|
12
12
|
require "qiita/markdown/embed/asciinema"
|
13
|
-
require "qiita/markdown/embed/gist"
|
14
13
|
require "qiita/markdown/embed/youtube"
|
15
14
|
require "qiita/markdown/embed/slide_share"
|
16
15
|
require "qiita/markdown/embed/google_slide"
|
@@ -22,6 +22,7 @@ module Qiita
|
|
22
22
|
def transform
|
23
23
|
if name == "iframe"
|
24
24
|
if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
|
25
|
+
node["width"] = "100%"
|
25
26
|
node.children.unlink
|
26
27
|
else
|
27
28
|
node.unlink
|
@@ -40,8 +41,11 @@ module Qiita
|
|
40
41
|
end
|
41
42
|
|
42
43
|
def host_of(url)
|
43
|
-
|
44
|
-
|
44
|
+
if url
|
45
|
+
scheme = URI.parse(url).scheme
|
46
|
+
Addressable::URI.parse(url).host if ["http", "https"].include? scheme
|
47
|
+
end
|
48
|
+
rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
|
45
49
|
nil
|
46
50
|
end
|
47
51
|
end
|
@@ -10,7 +10,6 @@ module Qiita
|
|
10
10
|
|
11
11
|
HOST_WHITE_LIST = [
|
12
12
|
Embed::Asciinema::SCRIPT_HOST,
|
13
|
-
Embed::Gist::SCRIPT_HOST,
|
14
13
|
].flatten.freeze
|
15
14
|
|
16
15
|
def self.call(*args)
|
@@ -43,8 +42,11 @@ module Qiita
|
|
43
42
|
end
|
44
43
|
|
45
44
|
def host_of(url)
|
46
|
-
|
47
|
-
|
45
|
+
if url
|
46
|
+
scheme = URI.parse(url).scheme
|
47
|
+
Addressable::URI.parse(url).host if ["http", "https"].include? scheme
|
48
|
+
end
|
49
|
+
rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
|
48
50
|
nil
|
49
51
|
end
|
50
52
|
end
|
data/qiita-markdown.gemspec
CHANGED
@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
|
|
23
23
|
spec.add_dependency "html-pipeline", "~> 2.0"
|
24
24
|
spec.add_dependency "mem"
|
25
25
|
spec.add_dependency "pygments.rb", "~> 1.0"
|
26
|
-
spec.add_dependency "greenmat", "3.
|
26
|
+
spec.add_dependency "greenmat", "3.5.1.1"
|
27
27
|
spec.add_dependency "sanitize"
|
28
28
|
spec.add_dependency "addressable"
|
29
29
|
spec.add_development_dependency "activesupport", "4.2.6"
|
@@ -740,7 +740,7 @@ describe Qiita::Markdown::Processor do
|
|
740
740
|
|
741
741
|
it "generates footnotes elements" do
|
742
742
|
should eq <<-HTML.strip_heredoc
|
743
|
-
<p><sup id="fnref1"><a href="#fn1"
|
743
|
+
<p><sup id="fnref1"><a href="#fn1" title="test">1</a></sup></p>
|
744
744
|
|
745
745
|
<div class="footnotes">
|
746
746
|
<hr>
|
@@ -756,6 +756,25 @@ describe Qiita::Markdown::Processor do
|
|
756
756
|
end
|
757
757
|
end
|
758
758
|
|
759
|
+
context "with footenotes syntax with code block" do
|
760
|
+
let(:markdown) do
|
761
|
+
<<-MARKDOWN.strip_heredoc
|
762
|
+
```
|
763
|
+
[^1]
|
764
|
+
[^1]: test
|
765
|
+
```
|
766
|
+
MARKDOWN
|
767
|
+
end
|
768
|
+
|
769
|
+
it "generates only code blocks without footnotes" do
|
770
|
+
should eq <<-HTML.strip_heredoc
|
771
|
+
<div class="code-frame" data-lang="text"><div class="highlight"><pre><span></span>[^1]
|
772
|
+
[^1]: test
|
773
|
+
</pre></div></div>
|
774
|
+
HTML
|
775
|
+
end
|
776
|
+
end
|
777
|
+
|
759
778
|
context "with manually written link inside of <sup> tag" do
|
760
779
|
let(:markdown) do
|
761
780
|
<<-MARKDOWN.strip_heredoc
|
@@ -1031,6 +1050,31 @@ describe Qiita::Markdown::Processor do
|
|
1031
1050
|
end
|
1032
1051
|
end
|
1033
1052
|
end
|
1053
|
+
|
1054
|
+
context "with details tag" do
|
1055
|
+
let(:markdown) do
|
1056
|
+
<<-MARKDOWN.strip_heredoc
|
1057
|
+
<details><summary>Folding sample</summary><div>
|
1058
|
+
|
1059
|
+
```rb
|
1060
|
+
puts "Hello, World"
|
1061
|
+
```
|
1062
|
+
</div></details>
|
1063
|
+
MARKDOWN
|
1064
|
+
end
|
1065
|
+
|
1066
|
+
it "returns HTML output parsed as markdown" do
|
1067
|
+
expect(subject).to eq <<-HTML.strip_heredoc
|
1068
|
+
<p><details><summary>Folding sample</summary><div>
|
1069
|
+
|
1070
|
+
<div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
|
1071
|
+
</pre></div></div>
|
1072
|
+
|
1073
|
+
<p></p>
|
1074
|
+
</div></details></p>
|
1075
|
+
HTML
|
1076
|
+
end
|
1077
|
+
end
|
1034
1078
|
end
|
1035
1079
|
|
1036
1080
|
shared_examples_for "script element" do |allowed:|
|
@@ -1407,40 +1451,26 @@ describe Qiita::Markdown::Processor do
|
|
1407
1451
|
end
|
1408
1452
|
end
|
1409
1453
|
|
1410
|
-
context "with HTML embed code for
|
1454
|
+
context "with HTML embed code for Youtube" do
|
1411
1455
|
let(:markdown) do
|
1412
1456
|
<<-MARKDOWN.strip_heredoc
|
1413
|
-
<
|
1457
|
+
<iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
|
1414
1458
|
MARKDOWN
|
1415
1459
|
end
|
1416
1460
|
|
1417
1461
|
if allowed
|
1418
1462
|
it "does not sanitize embed code" do
|
1419
1463
|
should eq <<-HTML.strip_heredoc
|
1420
|
-
<
|
1464
|
+
<iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
|
1421
1465
|
HTML
|
1422
1466
|
end
|
1423
1467
|
else
|
1424
|
-
it "forces
|
1468
|
+
it "forces width attribute on iframe" do
|
1425
1469
|
should eq <<-HTML.strip_heredoc
|
1426
|
-
<
|
1470
|
+
<iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
|
1427
1471
|
HTML
|
1428
1472
|
end
|
1429
1473
|
end
|
1430
|
-
end
|
1431
|
-
|
1432
|
-
context "with HTML embed code for Youtube" do
|
1433
|
-
let(:markdown) do
|
1434
|
-
<<-MARKDOWN.strip_heredoc
|
1435
|
-
<iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
|
1436
|
-
MARKDOWN
|
1437
|
-
end
|
1438
|
-
|
1439
|
-
it "does not sanitize embed code" do
|
1440
|
-
should eq <<-HTML.strip_heredoc
|
1441
|
-
<iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
|
1442
|
-
HTML
|
1443
|
-
end
|
1444
1474
|
|
1445
1475
|
context "when url is privacy enhanced mode" do
|
1446
1476
|
let(:markdown) do
|
@@ -1449,10 +1479,18 @@ describe Qiita::Markdown::Processor do
|
|
1449
1479
|
MARKDOWN
|
1450
1480
|
end
|
1451
1481
|
|
1452
|
-
|
1453
|
-
|
1454
|
-
|
1455
|
-
|
1482
|
+
if allowed
|
1483
|
+
it "does not sanitize embed code" do
|
1484
|
+
should eq <<-HTML.strip_heredoc
|
1485
|
+
<iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
|
1486
|
+
HTML
|
1487
|
+
end
|
1488
|
+
else
|
1489
|
+
it "forces width attribute on iframe" do
|
1490
|
+
should eq <<-HTML.strip_heredoc
|
1491
|
+
<iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
|
1492
|
+
HTML
|
1493
|
+
end
|
1456
1494
|
end
|
1457
1495
|
end
|
1458
1496
|
end
|
@@ -1464,10 +1502,18 @@ describe Qiita::Markdown::Processor do
|
|
1464
1502
|
MARKDOWN
|
1465
1503
|
end
|
1466
1504
|
|
1467
|
-
|
1468
|
-
|
1469
|
-
|
1470
|
-
|
1505
|
+
if allowed
|
1506
|
+
it "does not sanitize embed code" do
|
1507
|
+
should eq <<-HTML.strip_heredoc
|
1508
|
+
<iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
|
1509
|
+
HTML
|
1510
|
+
end
|
1511
|
+
else
|
1512
|
+
it "forces width attribute on iframe" do
|
1513
|
+
should eq <<-HTML.strip_heredoc
|
1514
|
+
<iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
|
1515
|
+
HTML
|
1516
|
+
end
|
1471
1517
|
end
|
1472
1518
|
end
|
1473
1519
|
|
@@ -1478,10 +1524,18 @@ describe Qiita::Markdown::Processor do
|
|
1478
1524
|
MARKDOWN
|
1479
1525
|
end
|
1480
1526
|
|
1481
|
-
|
1482
|
-
|
1483
|
-
|
1484
|
-
|
1527
|
+
if allowed
|
1528
|
+
it "does not sanitize embed code" do
|
1529
|
+
should eq <<-HTML.strip_heredoc
|
1530
|
+
<iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
|
1531
|
+
HTML
|
1532
|
+
end
|
1533
|
+
else
|
1534
|
+
it "forces width attribute on iframe" do
|
1535
|
+
should eq <<-HTML.strip_heredoc
|
1536
|
+
<iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
|
1537
|
+
HTML
|
1538
|
+
end
|
1485
1539
|
end
|
1486
1540
|
end
|
1487
1541
|
|
@@ -1522,6 +1576,34 @@ describe Qiita::Markdown::Processor do
|
|
1522
1576
|
HTML
|
1523
1577
|
end
|
1524
1578
|
end
|
1579
|
+
|
1580
|
+
context "with embed script code with xss" do
|
1581
|
+
let(:markdown) do
|
1582
|
+
<<-MARKDOWN.strip_heredoc
|
1583
|
+
<script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
|
1584
|
+
MARKDOWN
|
1585
|
+
|
1586
|
+
it "forces width attribute on iframe" do
|
1587
|
+
should eq <<-HTML.strip_heredoc
|
1588
|
+
\n
|
1589
|
+
HTML
|
1590
|
+
end
|
1591
|
+
end
|
1592
|
+
end
|
1593
|
+
|
1594
|
+
context "with embed iframe code with xss" do
|
1595
|
+
let(:markdown) do
|
1596
|
+
<<-MARKDOWN.strip_heredoc
|
1597
|
+
<iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
|
1598
|
+
MARKDOWN
|
1599
|
+
|
1600
|
+
it "forces width attribute on iframe" do
|
1601
|
+
should eq <<-HTML.strip_heredoc
|
1602
|
+
\n
|
1603
|
+
HTML
|
1604
|
+
end
|
1605
|
+
end
|
1606
|
+
end
|
1525
1607
|
end
|
1526
1608
|
|
1527
1609
|
context "without script and strict context" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: qiita-markdown
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.34.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryo Nakamura
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-03-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: gemoji
|
@@ -86,14 +86,14 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - '='
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: 3.
|
89
|
+
version: 3.5.1.1
|
90
90
|
type: :runtime
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - '='
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: 3.
|
96
|
+
version: 3.5.1.1
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: sanitize
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -258,7 +258,6 @@ files:
|
|
258
258
|
- lib/qiita/markdown/base_processor.rb
|
259
259
|
- lib/qiita/markdown/embed/asciinema.rb
|
260
260
|
- lib/qiita/markdown/embed/code_pen.rb
|
261
|
-
- lib/qiita/markdown/embed/gist.rb
|
262
261
|
- lib/qiita/markdown/embed/google_slide.rb
|
263
262
|
- lib/qiita/markdown/embed/slide_share.rb
|
264
263
|
- lib/qiita/markdown/embed/speeker_deck.rb
|