rich_text_renderer 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/rich_text_renderer/block_renderers/blockquote_renderer.rb +1 -1
- data/lib/rich_text_renderer/text_renderers/text_renderer.rb +2 -0
- data/lib/rich_text_renderer/version.rb +1 -1
- data/spec/lib/rich_text_renderer/block_renderers/blockquote_renderer_spec.rb +3 -3
- data/spec/lib/rich_text_renderer/text_renderers/text_renderer_spec.rb +12 -0
- metadata +3 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c0564e840440e02ea054c716664a738e1e081e93ea1ff5973b72d0e91c5aa075
|
4
|
+
data.tar.gz: 3b50e33011b385355b23bf9dc4d7aa7fd7d06a9a389ff5ae401fc1c72ece399e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2dd251c58a449e74096e498f74410b37fbe8849905745f970ab2c35a5eba872d45d127afcf53a2060342603459bb62069cd3d9d6df78d2124f19d44ca445893a
|
7
|
+
data.tar.gz: 86b19381e4e57e306f2a0859398a4ac50b62d8cbe0e1796510c1b84cc2f7c3cba1b5d56a2e613756c19d67a0ddba645b204d510da42b4e9d0a24751124c7a045
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,11 @@
|
|
2
2
|
|
3
3
|
## Unreleased
|
4
4
|
|
5
|
+
## v0.2.2
|
6
|
+
### Fixed
|
7
|
+
* Fixed mispelt blockquote tag. [#9](https://github.com/contentful/rich-text-renderer.rb/pull/9)
|
8
|
+
* Removed the possibility of XSS via text in nodes. [#10](https://github.com/contentful/rich-text-renderer.rb/pull/10)
|
9
|
+
|
5
10
|
## v0.2.1
|
6
11
|
### Fixed
|
7
12
|
* Default `EntryBlockRenderer` now properly stringifies `data.target` instead of just data.
|
@@ -7,6 +7,8 @@ module RichTextRenderer
|
|
7
7
|
def render(node)
|
8
8
|
node = Marshal.load(Marshal.dump(node)) # Clone the node
|
9
9
|
|
10
|
+
node['value'] = CGI.escapeHTML(node['value'])
|
11
|
+
|
10
12
|
node.fetch('marks', []).each do |mark|
|
11
13
|
renderer = mappings[mark['type']]
|
12
14
|
return mappings[nil].new(mappings).render(mark) if renderer.nil? && mappings.key?(nil)
|
@@ -14,12 +14,12 @@ describe RichTextRenderer::BlockQuoteRenderer do
|
|
14
14
|
end
|
15
15
|
|
16
16
|
describe '#render' do
|
17
|
-
it 'renders a
|
18
|
-
expect(subject.render(mock_node)).to eq "<
|
17
|
+
it 'renders a blockquote' do
|
18
|
+
expect(subject.render(mock_node)).to eq "<blockquote><p>foo</p></blockquote>"
|
19
19
|
end
|
20
20
|
|
21
21
|
it 'will propagate marks to text renderers' do
|
22
|
-
expect(subject.render(mock_node_with_marks)).to eq "<
|
22
|
+
expect(subject.render(mock_node_with_marks)).to eq "<blockquote><p><b>foo</b></p></blockquote>"
|
23
23
|
end
|
24
24
|
end
|
25
25
|
end
|
@@ -14,6 +14,10 @@ mock_node_multiple_marks = {
|
|
14
14
|
|
15
15
|
mock_node_unsupported_mark = {"value" => "foo", "nodeType" => "text", "marks" => [{"type" => "foobar"}]}
|
16
16
|
|
17
|
+
mock_node_unsafe_value = {"value" => "<script>alert('XSS!');</script>", "nodeType" => "text", "marks" => []}
|
18
|
+
|
19
|
+
mock_node_unsafe_value_with_marks = {"value" => "<script>alert('XSS!');</script>", "nodeType" => "text", "marks" => [{"type" => "underline"}, {"type" => "italic"}, {"type" => "bold"}]}
|
20
|
+
|
17
21
|
describe RichTextRenderer::TextRenderer do
|
18
22
|
subject do
|
19
23
|
described_class.new(
|
@@ -49,5 +53,13 @@ describe RichTextRenderer::TextRenderer do
|
|
49
53
|
|
50
54
|
expect(subject.render(mock_node_bold_only)).to eq "**foo**"
|
51
55
|
end
|
56
|
+
|
57
|
+
it 'escapes value' do
|
58
|
+
expect(subject.render(mock_node_unsafe_value)).to eq "<script>alert('XSS!');</script>"
|
59
|
+
end
|
60
|
+
|
61
|
+
it 'renders marks but keeps value escaped' do
|
62
|
+
expect(subject.render(mock_node_unsafe_value_with_marks)).to eq "<b><i><u><script>alert('XSS!');</script></u></i></b>"
|
63
|
+
end
|
52
64
|
end
|
53
65
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rich_text_renderer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Contentful GmbH (David Litvak Bruno)
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-05-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -358,8 +358,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
358
358
|
- !ruby/object:Gem::Version
|
359
359
|
version: '0'
|
360
360
|
requirements: []
|
361
|
-
|
362
|
-
rubygems_version: 2.7.6
|
361
|
+
rubygems_version: 3.0.3
|
363
362
|
signing_key:
|
364
363
|
specification_version: 4
|
365
364
|
summary: Rich Text Renderer for the Contentful RichText field type
|