qiita-markdown 0.30.0 → 0.35.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/lib/qiita/markdown.rb +0 -1
- data/lib/qiita/markdown/transformers/filter_iframe.rb +6 -2
- data/lib/qiita/markdown/transformers/filter_script.rb +5 -3
- data/lib/qiita/markdown/version.rb +1 -1
- data/qiita-markdown.gemspec +1 -1
- data/spec/qiita/markdown/processor_spec.rb +186 -52
- metadata +4 -5
- data/lib/qiita/markdown/embed/gist.rb +0 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 23da6f6f9b37dafcbe18164c13d4531998cfca14e0891801b4e8a1fdab6d625c
|
4
|
+
data.tar.gz: 620e9a413d9d0649511a883d40c4a398260f739a2c01774645d1e717421d54f5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f2cfa06b888dd9e08a22a88b822a7a280afec1289c1f9f3833c64692e37edc3b637c26739ab1f607c2e4cab1da1559510bc7a63836e462dc3c4dcc81f4da8343
|
7
|
+
data.tar.gz: 125ff10aa432f848e8c790f497f2467f1f825431b1cdeed1a085f14da230fdc5800c752a64b86f90d5e4acf36fc4f4c8b9e2efd30f808cee6ac713b32ffc0b01
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,26 @@
|
|
1
1
|
## Unreleased
|
2
2
|
|
3
|
+
## 0.35.0
|
4
|
+
|
5
|
+
- Allow Relative URL in iframe src attributes
|
6
|
+
|
7
|
+
## 0.34.0
|
8
|
+
|
9
|
+
- Delete gist embed rule to avoid XSS
|
10
|
+
|
11
|
+
## 0.33.0
|
12
|
+
|
13
|
+
- Fix XSS possibility bug
|
14
|
+
|
15
|
+
## 0.32.0
|
16
|
+
|
17
|
+
- Fix XSS possibility bug
|
18
|
+
- Fix iframe width to be fixed at 100%
|
19
|
+
|
20
|
+
## 0.31.0
|
21
|
+
|
22
|
+
- Use greenmat 3.5.1.1
|
23
|
+
|
3
24
|
## 0.30.0
|
4
25
|
|
5
26
|
- Use greenmat 3.5.1.0
|
data/lib/qiita/markdown.rb
CHANGED
@@ -10,7 +10,6 @@ require "sanitize"
|
|
10
10
|
require "qiita/markdown/embed/code_pen"
|
11
11
|
require "qiita/markdown/embed/tweet"
|
12
12
|
require "qiita/markdown/embed/asciinema"
|
13
|
-
require "qiita/markdown/embed/gist"
|
14
13
|
require "qiita/markdown/embed/youtube"
|
15
14
|
require "qiita/markdown/embed/slide_share"
|
16
15
|
require "qiita/markdown/embed/google_slide"
|
@@ -22,6 +22,7 @@ module Qiita
|
|
22
22
|
def transform
|
23
23
|
if name == "iframe"
|
24
24
|
if URL_WHITE_LIST.include?(node["src"]) || HOST_WHITE_LIST.include?(host_of(node["src"]))
|
25
|
+
node["width"] = "100%"
|
25
26
|
node.children.unlink
|
26
27
|
else
|
27
28
|
node.unlink
|
@@ -40,8 +41,11 @@ module Qiita
|
|
40
41
|
end
|
41
42
|
|
42
43
|
def host_of(url)
|
43
|
-
|
44
|
-
|
44
|
+
if url
|
45
|
+
scheme = URI.parse(url).scheme
|
46
|
+
Addressable::URI.parse(url).host if ["http", "https", nil].include? scheme
|
47
|
+
end
|
48
|
+
rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
|
45
49
|
nil
|
46
50
|
end
|
47
51
|
end
|
@@ -10,7 +10,6 @@ module Qiita
|
|
10
10
|
|
11
11
|
HOST_WHITE_LIST = [
|
12
12
|
Embed::Asciinema::SCRIPT_HOST,
|
13
|
-
Embed::Gist::SCRIPT_HOST,
|
14
13
|
].flatten.freeze
|
15
14
|
|
16
15
|
def self.call(*args)
|
@@ -43,8 +42,11 @@ module Qiita
|
|
43
42
|
end
|
44
43
|
|
45
44
|
def host_of(url)
|
46
|
-
|
47
|
-
|
45
|
+
if url
|
46
|
+
scheme = URI.parse(url).scheme
|
47
|
+
Addressable::URI.parse(url).host if ["http", "https"].include? scheme
|
48
|
+
end
|
49
|
+
rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
|
48
50
|
nil
|
49
51
|
end
|
50
52
|
end
|
data/qiita-markdown.gemspec
CHANGED
@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
|
|
23
23
|
spec.add_dependency "html-pipeline", "~> 2.0"
|
24
24
|
spec.add_dependency "mem"
|
25
25
|
spec.add_dependency "pygments.rb", "~> 1.0"
|
26
|
-
spec.add_dependency "greenmat", "3.5.1.
|
26
|
+
spec.add_dependency "greenmat", "3.5.1.1"
|
27
27
|
spec.add_dependency "sanitize"
|
28
28
|
spec.add_dependency "addressable"
|
29
29
|
spec.add_development_dependency "activesupport", "4.2.6"
|
@@ -1050,6 +1050,31 @@ describe Qiita::Markdown::Processor do
|
|
1050
1050
|
end
|
1051
1051
|
end
|
1052
1052
|
end
|
1053
|
+
|
1054
|
+
context "with details tag" do
|
1055
|
+
let(:markdown) do
|
1056
|
+
<<-MARKDOWN.strip_heredoc
|
1057
|
+
<details><summary>Folding sample</summary><div>
|
1058
|
+
|
1059
|
+
```rb
|
1060
|
+
puts "Hello, World"
|
1061
|
+
```
|
1062
|
+
</div></details>
|
1063
|
+
MARKDOWN
|
1064
|
+
end
|
1065
|
+
|
1066
|
+
it "returns HTML output parsed as markdown" do
|
1067
|
+
expect(subject).to eq <<-HTML.strip_heredoc
|
1068
|
+
<p><details><summary>Folding sample</summary><div>
|
1069
|
+
|
1070
|
+
<div class="code-frame" data-lang="rb"><div class="highlight"><pre><span></span><span class="nb">puts</span> <span class="s2">"Hello, World"</span>
|
1071
|
+
</pre></div></div>
|
1072
|
+
|
1073
|
+
<p></p>
|
1074
|
+
</div></details></p>
|
1075
|
+
HTML
|
1076
|
+
end
|
1077
|
+
end
|
1053
1078
|
end
|
1054
1079
|
|
1055
1080
|
shared_examples_for "script element" do |allowed:|
|
@@ -1119,12 +1144,13 @@ describe Qiita::Markdown::Processor do
|
|
1119
1144
|
end
|
1120
1145
|
|
1121
1146
|
shared_examples_for "iframe element" do |allowed:|
|
1122
|
-
|
1147
|
+
shared_examples "iframe element example" do
|
1123
1148
|
let(:markdown) do
|
1124
1149
|
<<-MARKDOWN.strip_heredoc
|
1125
|
-
<iframe width="1" height="2" src="
|
1150
|
+
<iframe width="1" height="2" src="#{url}" frameborder="0" allowfullscreen></iframe>
|
1126
1151
|
MARKDOWN
|
1127
1152
|
end
|
1153
|
+
let(:url) { "#{scheme}//example.com" }
|
1128
1154
|
|
1129
1155
|
if allowed
|
1130
1156
|
it "allows iframe with some attributes" do
|
@@ -1136,6 +1162,20 @@ describe Qiita::Markdown::Processor do
|
|
1136
1162
|
end
|
1137
1163
|
end
|
1138
1164
|
end
|
1165
|
+
|
1166
|
+
context "with iframe" do
|
1167
|
+
context "with scheme" do
|
1168
|
+
let(:scheme) { "https:" }
|
1169
|
+
|
1170
|
+
include_examples "iframe element example"
|
1171
|
+
end
|
1172
|
+
|
1173
|
+
context "without scheme" do
|
1174
|
+
let(:scheme) { "" }
|
1175
|
+
|
1176
|
+
include_examples "iframe element example"
|
1177
|
+
end
|
1178
|
+
end
|
1139
1179
|
end
|
1140
1180
|
|
1141
1181
|
shared_examples_for "input element" do |allowed:|
|
@@ -1426,81 +1466,137 @@ describe Qiita::Markdown::Processor do
|
|
1426
1466
|
end
|
1427
1467
|
end
|
1428
1468
|
|
1429
|
-
context "with HTML embed code for
|
1430
|
-
|
1431
|
-
|
1432
|
-
|
1433
|
-
|
1434
|
-
|
1469
|
+
context "with HTML embed code for Youtube" do
|
1470
|
+
shared_examples "embed code youtube example" do
|
1471
|
+
let(:markdown) do
|
1472
|
+
<<-MARKDOWN.strip_heredoc
|
1473
|
+
<iframe width="100" height="100" src="#{url}"></iframe>
|
1474
|
+
MARKDOWN
|
1475
|
+
end
|
1476
|
+
let(:url) { "#{scheme}//www.youtube.com/embed/example" }
|
1435
1477
|
|
1436
|
-
|
1437
|
-
|
1438
|
-
|
1439
|
-
|
1440
|
-
|
1478
|
+
if allowed
|
1479
|
+
it "does not sanitize embed code" do
|
1480
|
+
should eq <<-HTML.strip_heredoc
|
1481
|
+
<iframe width="100" height="100" src="#{url}"></iframe>
|
1482
|
+
HTML
|
1483
|
+
end
|
1484
|
+
else
|
1485
|
+
it "forces width attribute on iframe" do
|
1486
|
+
should eq <<-HTML.strip_heredoc
|
1487
|
+
<iframe width="100%" height="100" src="#{url}"></iframe>
|
1488
|
+
HTML
|
1489
|
+
end
|
1441
1490
|
end
|
1442
|
-
|
1443
|
-
|
1444
|
-
|
1445
|
-
|
1446
|
-
|
1491
|
+
|
1492
|
+
context "when url is privacy enhanced mode" do
|
1493
|
+
let(:markdown) do
|
1494
|
+
<<-MARKDOWN.strip_heredoc
|
1495
|
+
<iframe width="100" height="100" src="#{url}"></iframe>
|
1496
|
+
MARKDOWN
|
1497
|
+
end
|
1498
|
+
let(:url) { "#{scheme}//www.youtube-nocookie.com/embed/example" }
|
1499
|
+
|
1500
|
+
if allowed
|
1501
|
+
it "does not sanitize embed code" do
|
1502
|
+
should eq <<-HTML.strip_heredoc
|
1503
|
+
<iframe width="100" height="100" src="#{url}"></iframe>
|
1504
|
+
HTML
|
1505
|
+
end
|
1506
|
+
else
|
1507
|
+
it "forces width attribute on iframe" do
|
1508
|
+
should eq <<-HTML.strip_heredoc
|
1509
|
+
<iframe width="100%" height="100" src="#{url}"></iframe>
|
1510
|
+
HTML
|
1511
|
+
end
|
1512
|
+
end
|
1447
1513
|
end
|
1448
1514
|
end
|
1449
|
-
end
|
1450
1515
|
|
1451
|
-
|
1452
|
-
|
1453
|
-
|
1454
|
-
|
1455
|
-
MARKDOWN
|
1516
|
+
context "with scheme" do
|
1517
|
+
let(:scheme) { "https:" }
|
1518
|
+
|
1519
|
+
include_examples "embed code youtube example"
|
1456
1520
|
end
|
1457
1521
|
|
1458
|
-
|
1459
|
-
|
1460
|
-
|
1461
|
-
|
1522
|
+
context "without scheme" do
|
1523
|
+
let(:scheme) { "" }
|
1524
|
+
|
1525
|
+
include_examples "embed code youtube example"
|
1462
1526
|
end
|
1527
|
+
end
|
1463
1528
|
|
1464
|
-
|
1529
|
+
context "with HTML embed code for SlideShare" do
|
1530
|
+
shared_examples "embed code slideshare example" do
|
1465
1531
|
let(:markdown) do
|
1466
1532
|
<<-MARKDOWN.strip_heredoc
|
1467
|
-
<iframe width="100" height="100" src="
|
1533
|
+
<iframe width="100" height="100" src="#{url}"></iframe>
|
1468
1534
|
MARKDOWN
|
1469
1535
|
end
|
1536
|
+
let(:url) { "#{scheme}//www.slideshare.net/embed/example" }
|
1470
1537
|
|
1471
|
-
|
1472
|
-
|
1473
|
-
|
1474
|
-
|
1538
|
+
if allowed
|
1539
|
+
it "does not sanitize embed code" do
|
1540
|
+
should eq <<-HTML.strip_heredoc
|
1541
|
+
<iframe width="100" height="100" src="#{url}"></iframe>
|
1542
|
+
HTML
|
1543
|
+
end
|
1544
|
+
else
|
1545
|
+
it "forces width attribute on iframe" do
|
1546
|
+
should eq <<-HTML.strip_heredoc
|
1547
|
+
<iframe width="100%" height="100" src="#{url}"></iframe>
|
1548
|
+
HTML
|
1549
|
+
end
|
1475
1550
|
end
|
1476
1551
|
end
|
1477
|
-
end
|
1478
1552
|
|
1479
|
-
|
1480
|
-
|
1481
|
-
|
1482
|
-
|
1483
|
-
MARKDOWN
|
1553
|
+
context "with scheme" do
|
1554
|
+
let(:scheme) { "https:" }
|
1555
|
+
|
1556
|
+
include_examples "embed code slideshare example"
|
1484
1557
|
end
|
1485
1558
|
|
1486
|
-
|
1487
|
-
|
1488
|
-
|
1489
|
-
|
1559
|
+
context "without scheme" do
|
1560
|
+
let(:scheme) { "" }
|
1561
|
+
|
1562
|
+
include_examples "embed code slideshare example"
|
1490
1563
|
end
|
1491
1564
|
end
|
1492
1565
|
|
1493
1566
|
context "with HTML embed code for GoogleSlide" do
|
1494
|
-
|
1495
|
-
|
1496
|
-
|
1497
|
-
|
1567
|
+
shared_examples "embed code googleslide example" do
|
1568
|
+
let(:markdown) do
|
1569
|
+
<<-MARKDOWN.strip_heredoc
|
1570
|
+
<iframe src="#{url}" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
|
1571
|
+
MARKDOWN
|
1572
|
+
end
|
1573
|
+
let(:url) { "#{scheme}//docs.google.com/presentation/d/example/embed" }
|
1574
|
+
|
1575
|
+
if allowed
|
1576
|
+
it "does not sanitize embed code" do
|
1577
|
+
should eq <<-HTML.strip_heredoc
|
1578
|
+
<iframe src="#{url}" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
|
1579
|
+
HTML
|
1580
|
+
end
|
1581
|
+
else
|
1582
|
+
it "forces width attribute on iframe" do
|
1583
|
+
should eq <<-HTML.strip_heredoc
|
1584
|
+
<iframe src="#{url}" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
|
1585
|
+
HTML
|
1586
|
+
end
|
1587
|
+
end
|
1498
1588
|
end
|
1499
1589
|
|
1500
|
-
|
1501
|
-
|
1502
|
-
|
1503
|
-
|
1590
|
+
context "with scheme" do
|
1591
|
+
let(:scheme) { "https:" }
|
1592
|
+
|
1593
|
+
include_examples "embed code googleslide example"
|
1594
|
+
end
|
1595
|
+
|
1596
|
+
context "without scheme" do
|
1597
|
+
let(:scheme) { "" }
|
1598
|
+
|
1599
|
+
include_examples "embed code googleslide example"
|
1504
1600
|
end
|
1505
1601
|
end
|
1506
1602
|
|
@@ -1541,6 +1637,44 @@ describe Qiita::Markdown::Processor do
|
|
1541
1637
|
HTML
|
1542
1638
|
end
|
1543
1639
|
end
|
1640
|
+
|
1641
|
+
context "with embed script code with xss" do
|
1642
|
+
let(:markdown) do
|
1643
|
+
<<-MARKDOWN.strip_heredoc
|
1644
|
+
<script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
|
1645
|
+
MARKDOWN
|
1646
|
+
end
|
1647
|
+
|
1648
|
+
if allowed
|
1649
|
+
it "does not sanitize embed code" do
|
1650
|
+
should eq markdown
|
1651
|
+
end
|
1652
|
+
else
|
1653
|
+
it "forces width attribute on iframe" do
|
1654
|
+
should eq "\n"
|
1655
|
+
end
|
1656
|
+
end
|
1657
|
+
end
|
1658
|
+
|
1659
|
+
context "with embed iframe code with xss" do
|
1660
|
+
let(:markdown) do
|
1661
|
+
<<-MARKDOWN.strip_heredoc
|
1662
|
+
<iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
|
1663
|
+
MARKDOWN
|
1664
|
+
end
|
1665
|
+
|
1666
|
+
if allowed
|
1667
|
+
it "does not sanitize embed code" do
|
1668
|
+
should eq <<-HTML.strip_heredoc
|
1669
|
+
<iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
|
1670
|
+
HTML
|
1671
|
+
end
|
1672
|
+
else
|
1673
|
+
it "forces width attribute on iframe" do
|
1674
|
+
should eq "\n"
|
1675
|
+
end
|
1676
|
+
end
|
1677
|
+
end
|
1544
1678
|
end
|
1545
1679
|
|
1546
1680
|
context "without script and strict context" do
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: qiita-markdown
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.35.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryo Nakamura
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: gemoji
|
@@ -86,14 +86,14 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - '='
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: 3.5.1.
|
89
|
+
version: 3.5.1.1
|
90
90
|
type: :runtime
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - '='
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: 3.5.1.
|
96
|
+
version: 3.5.1.1
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: sanitize
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -258,7 +258,6 @@ files:
|
|
258
258
|
- lib/qiita/markdown/base_processor.rb
|
259
259
|
- lib/qiita/markdown/embed/asciinema.rb
|
260
260
|
- lib/qiita/markdown/embed/code_pen.rb
|
261
|
-
- lib/qiita/markdown/embed/gist.rb
|
262
261
|
- lib/qiita/markdown/embed/google_slide.rb
|
263
262
|
- lib/qiita/markdown/embed/slide_share.rb
|
264
263
|
- lib/qiita/markdown/embed/speeker_deck.rb
|