qiita-markdown 0.23.0 → 0.24.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of qiita-markdown might be problematic. Click here for more details.

Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/lib/qiita/markdown/embed/code_pen.rb +9 -1
  4. data/lib/qiita/markdown/embed/tweet.rb +5 -0
  5. data/lib/qiita/markdown/filters/final_sanitizer.rb +1 -0
  6. data/lib/qiita/markdown/filters/user_input_sanitizer.rb +1 -1
  7. data/lib/qiita/markdown/greenmat/html_toc_renderer.rb +6 -0
  8. data/lib/qiita/markdown/transformers/filter_attributes.rb +1 -1
  9. data/lib/qiita/markdown/version.rb +1 -1
  10. data/spec/qiita/markdown/greenmat/html_toc_renderer_spec.rb +32 -12
  11. data/spec/qiita/markdown/processor_spec.rb +30 -17
  12. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 16c43409c5b2bdceefb568344cf9280e7d1e50b2
4
- data.tar.gz: f4225f554071f1e8c8c339248f08b3ef5253be46
3
+ metadata.gz: 2ebf4b7bf3373510614a5718e5f679f8b811e799
4
+ data.tar.gz: e8c155ed67938804d750f6dbf19ee2dbde25f68f
5
5
  SHA512:
6
- metadata.gz: 5a9edc2d4826bfefd294ad32cf556fbb6985ac94d4e91a435a9513f6aec51c1a58bc435eebd45350e275ad1e5314c188c0e56bd3d56bc6130d9fcbe18f72ba6e
7
- data.tar.gz: 2da9ab1ee70db812a391875522e53606991f177d1f66b7da80192b9db1bbda9cc83d101cb6b01fd292c6dc405b35ccac4cc01a694d7f872b9e7ae5b01bc19155
6
+ metadata.gz: 0b9770f4cc579ccbb39b7e6b3b4d624937f7e12572bbdaa8db7e2d634439441c4f87b9a5a314a52d10647dd19279d2e5589c6781d161e1368993849590753ba2
7
+ data.tar.gz: 9ee149a5fc1470e7d7a3e8dca59b2a4cc9fc8765f7494f8703e33222a24811275be35d544fdc520bd092c1607f7951ca6fd1befd3c19919d2dfe9c0187906254
data/CHANGELOG.md CHANGED
@@ -1,5 +1,10 @@
1
1
  ## Unreleased
2
2
 
3
+ ## 0.24.0
4
+
5
+ - Fix to strip HTML tags in ToC
6
+ - Allow to use data-\* attributes when embedding Tweet and CodePen
7
+
3
8
  ## 0.23.0
4
9
 
5
10
  - Support embed Tweet
data/lib/qiita/markdown/embed/code_pen.rb CHANGED
@@ -3,7 +3,15 @@ module Qiita
3
3
  module Embed
4
4
  module CodePen
5
5
  SCRIPT_URL = "https://production-assets.codepen.io/assets/embed/ei.js"
6
- ATTRIBUTES = %w[class data-embed-version data-slug-hash]
6
+ CLASS_NAME = %w[codepen]
7
+ DATA_ATTRIBUTES = %w[
8
+ data-active-link-color data-active-tab-color data-animations data-border
9
+ data-border-color data-class data-custom-css-url data-default-tab
10
+ data-embed-version data-height data-link-logo-color data-pen-title
11
+ data-preview data-rerun-position data-show-tab-bar data-slug-hash
12
+ data-tab-bar-color data-tab-link-color data-theme-id data-user
13
+ ]
14
+ ATTRIBUTES = %w[class] + DATA_ATTRIBUTES
7
15
  end
8
16
  end
9
17
  end
data/lib/qiita/markdown/embed/tweet.rb CHANGED
@@ -4,6 +4,11 @@ module Qiita
4
4
  module Tweet
5
5
  SCRIPT_URL = "https://platform.twitter.com/widgets.js"
6
6
  CLASS_NAME = %w[twitter-tweet]
7
+ DATA_ATTRIBUTES = %w[
8
+ data-align data-cards data-conversation data-dnt
9
+ data-id data-lang data-link-color data-theme data-width
10
+ ]
11
+ ATTRIBUTES = %w[class] + DATA_ATTRIBUTES
7
12
  end
8
13
  end
9
14
  end
data/lib/qiita/markdown/filters/final_sanitizer.rb CHANGED
@@ -18,6 +18,7 @@ module Qiita
18
18
  "href",
19
19
  "rel",
20
20
  ],
21
+ "blockquote" => Embed::Tweet::ATTRIBUTES,
21
22
  "iframe" => [
22
23
  "allowfullscreen",
23
24
  "frameborder",
data/lib/qiita/markdown/filters/user_input_sanitizer.rb CHANGED
@@ -11,7 +11,7 @@ module Qiita
11
11
  ],
12
12
  attributes: {
13
13
  "a" => %w[class href rel title],
14
- "blockquote" => %w[cite class],
14
+ "blockquote" => %w[cite] + Embed::Tweet::ATTRIBUTES,
15
15
  "code" => %w[data-metadata],
16
16
  "div" => %w[class],
17
17
  "font" => %w[color],
data/lib/qiita/markdown/greenmat/html_toc_renderer.rb CHANGED
@@ -65,6 +65,12 @@ module Qiita
65
65
  def increment
66
66
  counter[id] += 1
67
67
  end
68
+
69
+ private
70
+
71
+ def body
72
+ escape_html? ? CGI.escape_html(text) : raw_body
73
+ end
68
74
  end
69
75
  end
70
76
  end
data/lib/qiita/markdown/transformers/filter_attributes.rb CHANGED
@@ -15,7 +15,7 @@ module Qiita
15
15
  "class" => %w[footnotes],
16
16
  },
17
17
  "p" => {
18
- "class" => %w[codepen],
18
+ "class" => Embed::CodePen::CLASS_NAME,
19
19
  },
20
20
  "sup" => {
21
21
  "id" => /\Afnref\d+\z/,
data/lib/qiita/markdown/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Qiita
2
2
  module Markdown
3
- VERSION = "0.23.0"
3
+ VERSION = "0.24.0"
4
4
  end
5
5
  end
data/spec/qiita/markdown/greenmat/html_toc_renderer_spec.rb CHANGED
@@ -117,20 +117,40 @@ describe Qiita::Markdown::Greenmat::HTMLToCRenderer do
117
117
  context "with :escape_html extension" do
118
118
  let(:extension) { { escape_html: true } }
119
119
 
120
- let(:markdown) do
121
- <<-EOS.strip_heredoc
122
- # <b>R&amp;B</b>
123
- EOS
120
+ context "with heading title including HTML tags" do
121
+ let(:markdown) do
122
+ <<-EOS.strip_heredoc
123
+ # <b>R&amp;B</b>
124
+ EOS
125
+ end
126
+
127
+ it "strips HTML characters in heading title" do
128
+ should eq <<-EOS.strip_heredoc
129
+ <ul>
130
+ <li>
131
+ <a href="#rb">R&amp;B</a>
132
+ </li>
133
+ </ul>
134
+ EOS
135
+ end
124
136
  end
125
137
 
126
- it "escapes special HTML characters in heading title" do
127
- should eq <<-EOS.strip_heredoc
128
- <ul>
129
- <li>
130
- <a href="#rb">&lt;b&gt;R&amp;amp;B&lt;/b&gt;</a>
131
- </li>
132
- </ul>
133
- EOS
138
+ context "with heading title including HTML tags inside of code" do
139
+ let(:markdown) do
140
+ <<-EOS.strip_heredoc
141
+ # `<div>`
142
+ EOS
143
+ end
144
+
145
+ it "escapes HTML tags inside of code" do
146
+ should eq <<-EOS.strip_heredoc
147
+ <ul>
148
+ <li>
149
+ <a href="#div">&lt;div&gt;</a>
150
+ </li>
151
+ </ul>
152
+ EOS
153
+ end
134
154
  end
135
155
  end
136
156
  end
data/spec/qiita/markdown/processor_spec.rb CHANGED
@@ -1162,6 +1162,28 @@ describe Qiita::Markdown::Processor do
1162
1162
  end
1163
1163
  end
1164
1164
 
1165
+ context "with data-attributes for <blockquote> tag" do
1166
+ let(:markdown) do
1167
+ <<-EOS.strip_heredoc
1168
+ <blockquote data-theme="a" data-malicious="b"></blockquote>
1169
+ EOS
1170
+ end
1171
+
1172
+ if allowed
1173
+ it "does not sanitize data-attributes" do
1174
+ should eq <<-EOS.strip_heredoc
1175
+ <blockquote data-theme="a" data-malicious="b"></blockquote>
1176
+ EOS
1177
+ end
1178
+ else
1179
+ it "sanitizes data-attributes except the attributes used by tweet" do
1180
+ should eq <<-EOS.strip_heredoc
1181
+ <blockquote data-theme="a"></blockquote>
1182
+ EOS
1183
+ end
1184
+ end
1185
+ end
1186
+
1165
1187
  context "with data-attributes for <p> tag" do
1166
1188
  let(:markdown) do
1167
1189
  <<-EOS.strip_heredoc
@@ -1329,9 +1351,9 @@ describe Qiita::Markdown::Processor do
1329
1351
  EOS
1330
1352
  end
1331
1353
  else
1332
- it "sanitizes data-attributes except the minimum attributes and force async attribute" do
1354
+ it "forces async attribute on script" do
1333
1355
  should eq <<-EOS.strip_heredoc
1334
- <p data-slug-hash="foo" data-embed-version="2" class="codepen"></p>\n
1356
+ <p data-height="1" data-theme-id="0" data-slug-hash="foo" data-default-tab="bar" data-user="baz" data-embed-version="2" data-pen-title="qux" class="codepen"></p>\n
1335
1357
  <script src="https://production-assets.codepen.io/assets/embed/ei.js" async="async"></script>
1336
1358
  EOS
1337
1359
  end
@@ -1341,25 +1363,16 @@ describe Qiita::Markdown::Processor do
1341
1363
  context "with embed code for Tweet" do
1342
1364
  let(:markdown) do
1343
1365
  <<-EOS.strip_heredoc
1344
- <blockquote class="twitter-tweet" data-cards="hidden" data-conversation="none">foo</blockquote>
1366
+ <blockquote class="twitter-tweet" data-lang="es" data-cards="hidden" data-conversation="none">foo</blockquote>
1345
1367
  <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
1346
1368
  EOS
1347
1369
  end
1348
1370
 
1349
- if allowed
1350
- it "does not sanitize embed code" do
1351
- should eq <<-EOS.strip_heredoc
1352
- <blockquote class="twitter-tweet" data-cards="hidden" data-conversation="none">foo</blockquote>\n
1353
- <script async src="https://platform.twitter.com/widgets.js"></script>
1354
- EOS
1355
- end
1356
- else
1357
- it "sanitizes attributes except `twitter-tweet` class" do
1358
- should eq <<-EOS.strip_heredoc
1359
- <blockquote class="twitter-tweet">foo</blockquote>\n
1360
- <script async src="https://platform.twitter.com/widgets.js"></script>
1361
- EOS
1362
- end
1371
+ it "does not sanitize embed code" do
1372
+ should eq <<-EOS.strip_heredoc
1373
+ <blockquote class="twitter-tweet" data-lang="es" data-cards="hidden" data-conversation="none">foo</blockquote>\n
1374
+ <script async src="https://platform.twitter.com/widgets.js"></script>
1375
+ EOS
1363
1376
  end
1364
1377
  end
1365
1378
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: qiita-markdown
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.23.0
4
+ version: 0.24.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ryo Nakamura
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-12-09 00:00:00.000000000 Z
11
+ date: 2017-12-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: gemoji