qiita-markdown 0.34.0 → 0.35.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 930ee5ee8bc770b95b918f3cfed4fdac57f133e9e69d0b21fff77cd2506a8fdc
-  data.tar.gz: 87f95cb871e08f94e1e03dd11a14ddd974ee24726b78ae3496bd3629e3b76959
+  metadata.gz: 23da6f6f9b37dafcbe18164c13d4531998cfca14e0891801b4e8a1fdab6d625c
+  data.tar.gz: 620e9a413d9d0649511a883d40c4a398260f739a2c01774645d1e717421d54f5
 SHA512:
-  metadata.gz: 0ac7943de01ab9b05c990f6ec8abe64d37c780b186da66b30017129f014d7944aa60e437a9466033b2c801dd701fdf6564d30451bc2ece1d6551011ff44d814b
-  data.tar.gz: cb8bd175dcd7aec1685209eca0c51c396a80d686737267155d1815d98546f65d7fa5927cf525cb109ed777a5a92835239f59d46e70f246e8ddb1bd9b8f7ebac5
+  metadata.gz: f2cfa06b888dd9e08a22a88b822a7a280afec1289c1f9f3833c64692e37edc3b637c26739ab1f607c2e4cab1da1559510bc7a63836e462dc3c4dcc81f4da8343
+  data.tar.gz: 125ff10aa432f848e8c790f497f2467f1f825431b1cdeed1a085f14da230fdc5800c752a64b86f90d5e4acf36fc4f4c8b9e2efd30f808cee6ac713b32ffc0b01

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Unreleased
 
+## 0.35.0
+
+- Allow Relative URL in iframe src attributes
+
 ## 0.34.0
 
 - Delete gist embed rule to avoid XSS

data/lib/qiita/markdown/transformers/filter_iframe.rb

@@ -43,7 +43,7 @@ module Qiita
         def host_of(url)
           if url
             scheme = URI.parse(url).scheme
-            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
+            Addressable::URI.parse(url).host if ["http", "https", nil].include? scheme
           end
         rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil

data/lib/qiita/markdown/version.rb

@@ -1,5 +1,5 @@
 module Qiita
   module Markdown
-    VERSION = "0.34.0"
+    VERSION = "0.35.0"
   end
 end

data/spec/qiita/markdown/processor_spec.rb

@@ -1144,12 +1144,13 @@ describe Qiita::Markdown::Processor do
     end
 
     shared_examples_for "iframe element" do |allowed:|
-      context "with iframe" do
+      shared_examples "iframe element example" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
-            <iframe width="1" height="2" src="//example.com" frameborder="0" allowfullscreen></iframe>
+            <iframe width="1" height="2" src="#{url}" frameborder="0" allowfullscreen></iframe>
           MARKDOWN
         end
+        let(:url) { "#{scheme}//example.com" }
 
         if allowed
           it "allows iframe with some attributes" do
@@ -1161,6 +1162,20 @@ describe Qiita::Markdown::Processor do
           end
         end
       end
+
+      context "with iframe" do
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "iframe element example"
+        end
+
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "iframe element example"
+        end
+      end
     end
 
     shared_examples_for "input element" do |allowed:|
@@ -1452,91 +1467,137 @@ describe Qiita::Markdown::Processor do
       end
 
       context "with HTML embed code for Youtube" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-          MARKDOWN
-        end
+        shared_examples "embed code youtube example" do
+          let(:markdown) do
+            <<-MARKDOWN.strip_heredoc
+              <iframe width="100" height="100" src="#{url}"></iframe>
+            MARKDOWN
+          end
+          let(:url) { "#{scheme}//www.youtube.com/embed/example" }
 
-        if allowed
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube.com/embed/example"></iframe>
-            HTML
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100" height="100" src="#{url}"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+                <iframe width="100%" height="100" src="#{url}"></iframe>
+              HTML
+            end
           end
-        else
-          it "forces width attribute on iframe" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100%" height="100" src="https://www.youtube.com/embed/example"></iframe>
-            HTML
+
+          context "when url is privacy enhanced mode" do
+            let(:markdown) do
+              <<-MARKDOWN.strip_heredoc
+                <iframe width="100" height="100" src="#{url}"></iframe>
+              MARKDOWN
+            end
+            let(:url) { "#{scheme}//www.youtube-nocookie.com/embed/example" }
+
+            if allowed
+              it "does not sanitize embed code" do
+                should eq <<-HTML.strip_heredoc
+                  <iframe width="100" height="100" src="#{url}"></iframe>
+                HTML
+              end
+            else
+              it "forces width attribute on iframe" do
+                should eq <<-HTML.strip_heredoc
+                  <iframe width="100%" height="100" src="#{url}"></iframe>
+                HTML
+              end
+            end
           end
         end
 
-        context "when url is privacy enhanced mode" do
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "embed code youtube example"
+        end
+
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "embed code youtube example"
+        end
+      end
+
+      context "with HTML embed code for SlideShare" do
+        shared_examples "embed code slideshare example" do
           let(:markdown) do
             <<-MARKDOWN.strip_heredoc
-              <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+              <iframe width="100" height="100" src="#{url}"></iframe>
             MARKDOWN
           end
+          let(:url) { "#{scheme}//www.slideshare.net/embed/example" }
 
           if allowed
             it "does not sanitize embed code" do
               should eq <<-HTML.strip_heredoc
-                <iframe width="100" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+                <iframe width="100" height="100" src="#{url}"></iframe>
               HTML
             end
           else
             it "forces width attribute on iframe" do
               should eq <<-HTML.strip_heredoc
-                <iframe width="100%" height="100" src="https://www.youtube-nocookie.com/embed/example"></iframe>
+                <iframe width="100%" height="100" src="#{url}"></iframe>
               HTML
             end
           end
         end
-      end
 
-      context "with HTML embed code for SlideShare" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-          MARKDOWN
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "embed code slideshare example"
         end
 
-        if allowed
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-            HTML
-          end
-        else
-          it "forces width attribute on iframe" do
-            should eq <<-HTML.strip_heredoc
-              <iframe width="100%" height="100" src="https://www.slideshare.net/embed/example"></iframe>
-            HTML
-          end
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "embed code slideshare example"
         end
       end
 
       context "with HTML embed code for GoogleSlide" do
-        let(:markdown) do
-          <<-MARKDOWN.strip_heredoc
-            <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
-          MARKDOWN
-        end
-
-        if allowed
-          it "does not sanitize embed code" do
-            should eq <<-HTML.strip_heredoc
-              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
-            HTML
+        shared_examples "embed code googleslide example" do
+          let(:markdown) do
+            <<-MARKDOWN.strip_heredoc
+            <iframe src="#{url}" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+            MARKDOWN
           end
-        else
-          it "forces width attribute on iframe" do
-            should eq <<-HTML.strip_heredoc
-              <iframe src="https://docs.google.com/presentation/d/example/embed" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
-            HTML
+          let(:url) { "#{scheme}//docs.google.com/presentation/d/example/embed" }
+
+          if allowed
+            it "does not sanitize embed code" do
+              should eq <<-HTML.strip_heredoc
+              <iframe src="#{url}" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
+              HTML
+            end
+          else
+            it "forces width attribute on iframe" do
+              should eq <<-HTML.strip_heredoc
+              <iframe src="#{url}" frameborder="0" width="100%" height="300" allowfullscreen="true"></iframe>
+              HTML
+            end
           end
         end
+
+        context "with scheme" do
+          let(:scheme) { "https:" }
+
+          include_examples "embed code googleslide example"
+        end
+
+        context "without scheme" do
+          let(:scheme) { "" }
+
+          include_examples "embed code googleslide example"
+        end
       end
 
       context "with HTML embed code for SpeekerDeck" do
@@ -1582,11 +1643,15 @@ describe Qiita::Markdown::Processor do
           <<-MARKDOWN.strip_heredoc
             <script async class="speakerdeck-embed" data-id="example" data-ratio="1.33333333333333" src="javascript://speakerdeck.com/assets/embed.js"></script>
           MARKDOWN
+        end
 
+        if allowed
+          it "does not sanitize embed code" do
+            should eq markdown
+          end
+        else
           it "forces width attribute on iframe" do
-            should eq <<-HTML.strip_heredoc
-              \n
-            HTML
+            should eq "\n"
           end
         end
       end
@@ -1596,12 +1661,18 @@ describe Qiita::Markdown::Processor do
           <<-MARKDOWN.strip_heredoc
             <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
           MARKDOWN
+        end
 
-          it "forces width attribute on iframe" do
+        if allowed
+          it "does not sanitize embed code" do
             should eq <<-HTML.strip_heredoc
-              \n
+              <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true"></iframe>
             HTML
           end
+        else
+          it "forces width attribute on iframe" do
+            should eq "\n"
+          end
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: qiita-markdown
 version: !ruby/object:Gem::Version
-  version: 0.34.0
+  version: 0.35.0
 platform: ruby
 authors:
 - Ryo Nakamura
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-19 00:00:00.000000000 Z
+date: 2021-04-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gemoji