FIX: Headings must begin with heading-- to avoid some griefing

2024-11-23 06:04:11 +08:00 · 2017-10-16 11:53:47 -04:00 · 2017-10-16 11:53:47 -04:00 · fb2e581b26
commit fb2e581b26
parent 5f76e5062d
3 changed files with 30 additions and 12 deletions
--- a/app/assets/javascripts/pretty-text/sanitizer.js.es6
+++ b/app/assets/javascripts/pretty-text/sanitizer.js.es6
@ -98,6 +98,14 @@ export function sanitize(text, whiteLister) {
          return "-STRIP-";
        }

+        // Heading ids must begin with `heading--`
+        if (
+          ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'].indexOf(tag) !== -1 &&
+          value.match(/^heading\-\-[a-zA-Z0-9\-\_]+$/)
+        ) {
+          return attr(name, value);
+        }
+
        const custom = whiteLister.getCustom();
        for (let i=0; i<custom.length; i++) {
          const fn = custom[i];
--- a/app/assets/javascripts/pretty-text/white-lister.js.es6
+++ b/app/assets/javascripts/pretty-text/white-lister.js.es6
@ -141,12 +141,12 @@ const DEFAULT_LIST = [
  'dl',
  'dt',
  'em',
-  'h1[id]',
-  'h2[id]',
-  'h3[id]',
-  'h4[id]',
-  'h5[id]',
-  'h6[id]',
+  'h1',
+  'h2',
+  'h3',
+  'h4',
+  'h5',
+  'h6',
  'hr',
  'i',
  'iframe',
--- a/test/javascripts/lib/sanitizer-test.js.es6
+++ b/test/javascripts/lib/sanitizer-test.js.es6
@ -65,12 +65,22 @@ QUnit.test("sanitize", assert => {
 QUnit.test("ids on headings", assert => {
  const pt = new PrettyText(buildOptions({ siteSettings: {} }));
  assert.equal(pt.sanitize("<h3>Test Heading</h3>"), "<h3>Test Heading</h3>");
-  assert.equal(pt.sanitize(`<h1 id="test-heading">Test Heading</h1>`), `<h1 id="test-heading">Test Heading</h1>`);
-  assert.equal(pt.sanitize(`<h2 id="test-heading">Test Heading</h2>`), `<h2 id="test-heading">Test Heading</h2>`);
-  assert.equal(pt.sanitize(`<h3 id="test-heading">Test Heading</h3>`), `<h3 id="test-heading">Test Heading</h3>`);
-  assert.equal(pt.sanitize(`<h4 id="test-heading">Test Heading</h4>`), `<h4 id="test-heading">Test Heading</h4>`);
-  assert.equal(pt.sanitize(`<h5 id="test-heading">Test Heading</h5>`), `<h5 id="test-heading">Test Heading</h5>`);
-  assert.equal(pt.sanitize(`<h6 id="test-heading">Test Heading</h6>`), `<h6 id="test-heading">Test Heading</h6>`);
+  assert.equal(pt.sanitize(`<h1 id="heading--test">Test Heading</h1>`), `<h1 id="heading--test">Test Heading</h1>`);
+  assert.equal(pt.sanitize(`<h2 id="heading--cool">Test Heading</h2>`), `<h2 id="heading--cool">Test Heading</h2>`);
+  assert.equal(pt.sanitize(`<h3 id="heading--dashed-name">Test Heading</h3>`), `<h3 id="heading--dashed-name">Test Heading</h3>`);
+  assert.equal(pt.sanitize(`<h4 id="heading--underscored_name">Test Heading</h4>`), `<h4 id="heading--underscored_name">Test Heading</h4>`);
+  assert.equal(pt.sanitize(`<h5 id="heading--trout">Test Heading</h5>`), `<h5 id="heading--trout">Test Heading</h5>`);
+  assert.equal(pt.sanitize(`<h6 id="heading--discourse">Test Heading</h6>`), `<h6 id="heading--discourse">Test Heading</h6>`);
+});
+
+QUnit.test("poorly formed ids on headings", assert => {
+  let pt = new PrettyText(buildOptions({ siteSettings: {} }));
+  assert.equal(pt.sanitize(`<h1 id="evil-trout">Test Heading</h1>`), `<h1>Test Heading</h1>`);
+  assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
+  assert.equal(pt.sanitize(`<h1 id="heading--with space">Test Heading</h1>`), `<h1>Test Heading</h1>`);
+  assert.equal(pt.sanitize(`<h1 id="heading--with*char">Test Heading</h1>`), `<h1>Test Heading</h1>`);
+  assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
+  assert.equal(pt.sanitize(`<h1 id="test-heading--cool">Test Heading</h1>`), `<h1>Test Heading</h1>`);
 });

 QUnit.test("urlAllowed", assert => {