github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 11:23:36 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Clean up sanitization code

Browse Source 
- remove html table test, this is soon to be deprecated
- move sanitization tests into pretty text.rb
- fix up whitelister so it makes a copy of options
This commit is contained in:
Sam 2017-06-26 15:21:27 -04:00
parent febfe27669
commit 8967d50dc2
4 changed files with 18 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6
View File

@ -151,13 +151,12 @@ export function setup(opts, siteSettings, state) {
opts.setup = true; opts.setup = true;
if (!opts.discourse.sanitizer) { if (!opts.discourse.sanitizer) {
opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? sanitize : a=>a; const whiteLister = new WhiteLister(opts.discourse);
opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? a=>sanitize(a, whiteLister) : a=>a;
} }
} }
export function cook(raw, opts) { export function cook(raw, opts) {
const whiteLister = new WhiteLister(opts.discourse);
// we still have to hoist html_raw nodes so they bypass the whitelister // we still have to hoist html_raw nodes so they bypass the whitelister
// this is the case for oneboxes // this is the case for oneboxes
let hoisted = {}; let hoisted = {};
@ -165,7 +164,7 @@ export function cook(raw, opts) {
opts.discourse.hoisted = hoisted; opts.discourse.hoisted = hoisted;
const rendered = opts.engine.render(raw); const rendered = opts.engine.render(raw);
let cooked = opts.discourse.sanitizer(rendered, whiteLister).trim(); let cooked = opts.discourse.sanitizer(rendered).trim();
const keys = Object.keys(hoisted); const keys = Object.keys(hoisted);
if (keys.length) { if (keys.length) {

2
app/assets/javascripts/pretty-text/white-lister.js.es6
View File

@ -25,7 +25,7 @@ export default class WhiteLister {
this._featureKeys = Object.keys(options.features).filter(f => options.features[f]); this._featureKeys = Object.keys(options.features).filter(f => options.features[f]);
this._key = this._featureKeys.join(':'); this._key = this._featureKeys.join(':');
this._features = options.features; this._features = options.features;
this._options = {}; this._options = options;
} }
getCustom() { getCustom() {

33
spec/components/pretty_text_spec.rb
View File

@ -440,21 +440,6 @@ HTML
expect(PrettyText.cook(raw)).to match_html(cooked) expect(PrettyText.cook(raw)).to match_html(cooked)
end end
describe 'tables' do
it 'allows table html' do
SiteSetting.allow_html_tables = true
table = "<table class='fa-spin'><thead><tr>\n<th class='fa-spin'>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
match = "<table class=\"md-table\"><thead><tr> <th>test</th> </tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
expect(PrettyText.cook(table)).to match_html(match)
end
it 'allows no tables when not enabled' do
SiteSetting.allow_html_tables = false
table = "<table><thead><tr><th>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
expect(PrettyText.cook(table)).to match_html("")
end
end
describe "emoji" do describe "emoji" do
it "replaces unicode emoji with our emoji sets if emoji is enabled" do it "replaces unicode emoji with our emoji sets if emoji is enabled" do
expect(PrettyText.cook("💣")).to match(/\:bomb\:/) expect(PrettyText.cook("💣")).to match(/\:bomb\:/)
@ -518,10 +503,6 @@ HTML
SiteSetting.enable_experimental_markdown_it = true SiteSetting.enable_experimental_markdown_it = true
end end
after do
SiteSetting.enable_experimental_markdown_it = false
end
# it "replaces skin toned emoji" do # it "replaces skin toned emoji" do
# expect(PrettyText.cook("hello 👱🏿‍♀️")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/blonde_woman/6.png?v=5\" title=\":blonde_woman:t6:\" class=\"emoji\" alt=\":blonde_woman:t6:\"></p>") # expect(PrettyText.cook("hello 👱🏿‍♀️")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/blonde_woman/6.png?v=5\" title=\":blonde_woman:t6:\" class=\"emoji\" alt=\":blonde_woman:t6:\"></p>")
# expect(PrettyText.cook("hello 👩‍🎤")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/woman_singer.png?v=5\" title=\":woman_singer:\" class=\"emoji\" alt=\":woman_singer:\"></p>") # expect(PrettyText.cook("hello 👩‍🎤")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/woman_singer.png?v=5\" title=\":woman_singer:\" class=\"emoji\" alt=\":woman_singer:\"></p>")
@ -530,6 +511,20 @@ HTML
# end # end
# #
it "supports href schemes" do
SiteSetting.allowed_href_schemes = "macappstore|steam"
cooked = cook("[Steam URL Scheme](steam://store/452530)")
expected = '<p><a href="steam://store/452530" rel="nofollow noopener">Steam URL Scheme</a></p>'
expect(cooked).to eq(n expected)
end
it "supports forbidden schemes" do
SiteSetting.allowed_href_schemes = "macappstore|itunes"
cooked = cook("[Steam URL Scheme](steam://store/452530)")
expected = '<p><a>Steam URL Scheme</a></p>'
expect(cooked).to eq(n expected)
end
it "produces tag links" do it "produces tag links" do
Fabricate(:topic, {tags: [Fabricate(:tag, name: 'known')]}) Fabricate(:topic, {tags: [Fabricate(:tag, name: 'known')]})
expect(PrettyText.cook("x #unknown::tag #known::tag")).to match_html("<p>x <span class=\"hashtag\">#unknown::tag</span> <a class=\"hashtag\" href=\"http://test.localhost/tags/known\">#<span>known</span></a></p>") expect(PrettyText.cook("x #unknown::tag #known::tag")).to match_html("<p>x <span class=\"hashtag\">#unknown::tag</span> <a class=\"hashtag\" href=\"http://test.localhost/tags/known\">#<span>known</span></a></p>")

8
test/javascripts/mdtest/mdtest.js.es6.erb
View File

@ -73,11 +73,3 @@ function md(assert, input, expected, text, settings) {
%> %>
<%= mdtest_suite %> <%= mdtest_suite %>
test("whitelisted url scheme", function(assert) {
md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a href="steam://store/452530">Steam URL Scheme</a></p>', 'whitelists the steam url', {allowed_href_schemes: "macappstore|steam"});
});
test("forbidden url scheme", function(assert) {
md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a>Steam URL Scheme</a></p>', 'removes the href', {allowed_href_schemes: "macappstore|itunes"});
});