Clean up sanitization code

- remove html table test, this is soon to be deprecated - move sanitization tests into pretty text.rb - fix up whitelister so it makes a copy of options
2024-11-22 19:46:55 +08:00 · 2017-06-26 15:21:27 -04:00 · 2017-06-26 15:21:27 -04:00 · 8967d50dc2
commit 8967d50dc2
parent febfe27669
4 changed files with 18 additions and 32 deletions
--- a/app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6
+++ b/app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6
@ -151,13 +151,12 @@ export function setup(opts, siteSettings, state) {
  opts.setup = true;

  if (!opts.discourse.sanitizer) {
-    opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? sanitize : a=>a;
+    const whiteLister = new WhiteLister(opts.discourse);
+    opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? a=>sanitize(a, whiteLister) : a=>a;
  }
 }

 export function cook(raw, opts) {
-  const whiteLister = new WhiteLister(opts.discourse);
-
  // we still have to hoist html_raw nodes so they bypass the whitelister
  // this is the case for oneboxes
  let hoisted = {};
@ -165,7 +164,7 @@ export function cook(raw, opts) {
  opts.discourse.hoisted = hoisted;

  const rendered = opts.engine.render(raw);
-  let cooked = opts.discourse.sanitizer(rendered, whiteLister).trim();
+  let cooked = opts.discourse.sanitizer(rendered).trim();

  const keys = Object.keys(hoisted);
  if (keys.length) {
--- a/app/assets/javascripts/pretty-text/white-lister.js.es6
+++ b/app/assets/javascripts/pretty-text/white-lister.js.es6
@ -25,7 +25,7 @@ export default class WhiteLister {
    this._featureKeys = Object.keys(options.features).filter(f => options.features[f]);
    this._key = this._featureKeys.join(':');
    this._features = options.features;
-    this._options = {};
+    this._options = options;
  }

  getCustom() {
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@ -440,21 +440,6 @@ HTML
    expect(PrettyText.cook(raw)).to match_html(cooked)
  end

-  describe 'tables' do
-    it 'allows table html' do
-      SiteSetting.allow_html_tables = true
-      table = "<table class='fa-spin'><thead><tr>\n<th class='fa-spin'>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
-      match = "<table class=\"md-table\"><thead><tr> <th>test</th> </tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
-      expect(PrettyText.cook(table)).to match_html(match)
-    end
-
-    it 'allows no tables when not enabled' do
-      SiteSetting.allow_html_tables = false
-      table = "<table><thead><tr><th>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
-      expect(PrettyText.cook(table)).to match_html("")
-    end
-  end
-
  describe "emoji" do
    it "replaces unicode emoji with our emoji sets if emoji is enabled" do
      expect(PrettyText.cook("💣")).to match(/\:bomb\:/)
@ -518,10 +503,6 @@ HTML
      SiteSetting.enable_experimental_markdown_it = true
    end

-    after do
-      SiteSetting.enable_experimental_markdown_it = false
-    end
-
    # it "replaces skin toned emoji" do
    #   expect(PrettyText.cook("hello 👱🏿‍♀️")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/blonde_woman/6.png?v=5\" title=\":blonde_woman:t6:\" class=\"emoji\" alt=\":blonde_woman:t6:\"></p>")
    #   expect(PrettyText.cook("hello 👩‍🎤")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/woman_singer.png?v=5\" title=\":woman_singer:\" class=\"emoji\" alt=\":woman_singer:\"></p>")
@ -530,6 +511,20 @@ HTML
    # end
    #

+    it "supports href schemes" do
+      SiteSetting.allowed_href_schemes = "macappstore|steam"
+      cooked = cook("[Steam URL Scheme](steam://store/452530)")
+      expected = '<p><a href="steam://store/452530" rel="nofollow noopener">Steam URL Scheme</a></p>'
+      expect(cooked).to eq(n expected)
+    end
+
+    it "supports forbidden schemes" do
+      SiteSetting.allowed_href_schemes = "macappstore|itunes"
+      cooked = cook("[Steam URL Scheme](steam://store/452530)")
+      expected = '<p><a>Steam URL Scheme</a></p>'
+      expect(cooked).to eq(n expected)
+    end
+
    it "produces tag links" do
      Fabricate(:topic, {tags: [Fabricate(:tag, name: 'known')]})
      expect(PrettyText.cook("x #unknown::tag #known::tag")).to match_html("<p>x <span class=\"hashtag\">#unknown::tag</span> <a class=\"hashtag\" href=\"http://test.localhost/tags/known\">#<span>known</span></a></p>")
--- a/test/javascripts/mdtest/mdtest.js.es6.erb
+++ b/test/javascripts/mdtest/mdtest.js.es6.erb
@ -73,11 +73,3 @@ function md(assert, input, expected, text, settings) {
 %>

 <%= mdtest_suite %>
-
-test("whitelisted url scheme", function(assert) {
-  md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a href="steam://store/452530">Steam URL Scheme</a></p>', 'whitelists the steam url', {allowed_href_schemes: "macappstore|steam"});
-});
-
-test("forbidden url scheme", function(assert) {
-  md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a>Steam URL Scheme</a></p>', 'removes the href', {allowed_href_schemes: "macappstore|itunes"});
-});