Update upstream source from tag 'upstream/2.8.4'
Update to upstream version '2.8.4'
with Debian dir 79662d240f2e096927d4e593ab77130a633be98c
Lucas Kanashiro
5 years ago
15 | 15 | gem 'minitest' |
16 | 16 | gem 'RedCloth', '~> 4.2.9', require: false |
17 | 17 | gem 'rinku', '~> 1.7', require: false |
18 | gem 'sanitize', '~> 2.0', require: false | |
18 | gem 'sanitize', '~> 4.6', require: false | |
19 | 19 | |
20 | 20 | gem 'escape_utils', '~> 1.0', require: false |
21 | 21 | gem 'rouge', '~> 3.1', require: false |
185 | 185 | * `PlainTextInputFilter` - `escape_utils` |
186 | 186 | * `SanitizationFilter` - `sanitize` |
187 | 187 | * `SyntaxHighlightFilter` - `rouge` |
188 | * `TableOfContentsFilter` - `escape_utils` | |
188 | 189 | * `TextileFilter` - `RedCloth` |
189 | 190 | |
190 | 191 | _Note:_ See [Gemfile](/Gemfile) `:test` block for version requirements. |
40 | 40 | elements: %w[ |
41 | 41 | h1 h2 h3 h4 h5 h6 h7 h8 br b i strong em a pre code img tt |
42 | 42 | div ins del sup sub p ol ul table thead tbody tfoot blockquote |
43 | dl dt dd kbd q samp var hr ruby rt rp li tr td th s strike summary details | |
44 | ], | |
45 | remove_contents: ['script'], | |
43 | dl dt dd kbd q samp var hr ruby rt rp li tr td th s strike summary | |
44 | details caption figure figcaption | |
45 | ].freeze, | |
46 | remove_contents: ['script'].freeze, | |
46 | 47 | attributes: { |
47 | 'a' => ['href'], | |
48 | 'img' => %w[src longdesc], | |
49 | 'div' => %w[itemscope itemtype], | |
50 | 'blockquote' => ['cite'], | |
51 | 'del' => ['cite'], | |
52 | 'ins' => ['cite'], | |
53 | 'q' => ['cite'], | |
54 | :all => ['abbr', 'accept', 'accept-charset', | |
55 | 'accesskey', 'action', 'align', 'alt', 'axis', | |
56 | 'border', 'cellpadding', 'cellspacing', 'char', | |
57 | 'charoff', 'charset', 'checked', | |
58 | 'clear', 'cols', 'colspan', 'color', | |
59 | 'compact', 'coords', 'datetime', 'dir', | |
60 | 'disabled', 'enctype', 'for', 'frame', | |
61 | 'headers', 'height', 'hreflang', | |
62 | 'hspace', 'ismap', 'label', 'lang', | |
63 | 'maxlength', 'media', 'method', | |
64 | 'multiple', 'name', 'nohref', 'noshade', | |
65 | 'nowrap', 'open', 'prompt', 'readonly', 'rel', 'rev', | |
66 | 'rows', 'rowspan', 'rules', 'scope', | |
67 | 'selected', 'shape', 'size', 'span', | |
68 | 'start', 'summary', 'tabindex', 'target', | |
69 | 'title', 'type', 'usemap', 'valign', 'value', | |
70 | 'vspace', 'width', 'itemprop'] | |
71 | }, | |
48 | 'a' => ['href'].freeze, | |
49 | 'img' => %w[src longdesc].freeze, | |
50 | 'div' => %w[itemscope itemtype].freeze, | |
51 | 'blockquote' => ['cite'].freeze, | |
52 | 'del' => ['cite'].freeze, | |
53 | 'ins' => ['cite'].freeze, | |
54 | 'q' => ['cite'].freeze, | |
55 | all: %w[abbr accept accept-charset | |
56 | accesskey action align alt | |
57 | aria-describedby aria-hidden aria-label aria-labelledby | |
58 | axis border cellpadding cellspacing char | |
59 | charoff charset checked | |
60 | clear cols colspan color | |
61 | compact coords datetime dir | |
62 | disabled enctype for frame | |
63 | headers height hreflang | |
64 | hspace ismap label lang | |
65 | maxlength media method | |
66 | multiple name nohref noshade | |
67 | nowrap open prompt readonly rel rev | |
68 | rows rowspan rules scope | |
69 | selected shape size span | |
70 | start summary tabindex target | |
71 | title type usemap valign value | |
72 | vspace width itemprop].freeze | |
73 | }.freeze, | |
72 | 74 | protocols: { |
73 | 75 | 'a' => { 'href' => ANCHOR_SCHEMES }, |
74 | 'blockquote' => { 'cite' => ['http', 'https', :relative] }, | |
75 | 'del' => { 'cite' => ['http', 'https', :relative] }, | |
76 | 'ins' => { 'cite' => ['http', 'https', :relative] }, | |
77 | 'q' => { 'cite' => ['http', 'https', :relative] }, | |
76 | 'blockquote' => { 'cite' => ['http', 'https', :relative].freeze }, | |
77 | 'del' => { 'cite' => ['http', 'https', :relative].freeze }, | |
78 | 'ins' => { 'cite' => ['http', 'https', :relative].freeze }, | |
79 | 'q' => { 'cite' => ['http', 'https', :relative].freeze }, | |
78 | 80 | 'img' => { |
79 | 'src' => ['http', 'https', :relative], | |
80 | 'longdesc' => ['http', 'https', :relative] | |
81 | } | |
81 | 'src' => ['http', 'https', :relative].freeze, | |
82 | 'longdesc' => ['http', 'https', :relative].freeze | |
83 | }.freeze | |
82 | 84 | }, |
83 | 85 | transformers: [ |
84 | 86 | # Top-level <li> elements are removed because they can break out of |
99 | 101 | node.replace(node.children) |
100 | 102 | end |
101 | 103 | } |
102 | ] | |
104 | ].freeze | |
103 | 105 | }.freeze |
104 | 106 | |
105 | 107 | # A more limited sanitization whitelist. This includes all attributes, |
0 | HTML::Pipeline.require_dependency('escape_utils', 'TableOfContentsFilter') | |
1 | ||
0 | 2 | module HTML |
1 | 3 | class Pipeline |
2 | 4 | # HTML filter that adds an 'id' attribute to all headers |
42 | 44 | uniq = headers[id] > 0 ? "-#{headers[id]}" : '' |
43 | 45 | headers[id] += 1 |
44 | 46 | if header_content = node.children.first |
45 | result[:toc] << %(<li><a href="##{id}#{uniq}">#{text}</a></li>\n) | |
47 | result[:toc] << %(<li><a href="##{id}#{uniq}">#{EscapeUtils.escape_html(text)}</a></li>\n) | |
46 | 48 | header_content.add_previous_sibling(%(<a id="#{id}#{uniq}" class="anchor" href="##{id}#{uniq}" aria-hidden="true">#{anchor_icon}</a>)) |
47 | 49 | end |
48 | 50 | end |
0 | 0 | module HTML |
1 | 1 | class Pipeline |
2 | VERSION = '2.8.0'.freeze | |
2 | VERSION = '2.8.4'.freeze | |
3 | 3 | end |
4 | 4 | end |
91 | 91 | assert_equal 6, doc.search('a').size |
92 | 92 | end |
93 | 93 | |
94 | def test_toc_outputs_escaped_html | |
95 | @orig = %(<h1><img src="x" onerror="alert(42)"></h1>) | |
96 | ||
97 | refute_includes toc, %(<img src="x" onerror="alert(42)">) | |
98 | end | |
99 | ||
94 | 100 | def test_toc_is_complete |
95 | 101 | @orig = %(<h1>"Funky President" by James Brown</h1> |
96 | 102 | <h2>"It's My Thing" by Marva Whitney</h2> |
100 | 106 | <h6>"Ruthless Villain" by Eazy-E</h6> |
101 | 107 | <h7>"Be Thankful for What You Got" by William DeVaughn</h7>) |
102 | 108 | |
103 | expected = %(<ul class="section-nav">\n<li><a href="#funky-president-by-james-brown">"Funky President" by James Brown</a></li>\n<li><a href="#its-my-thing-by-marva-whitney">"It's My Thing" by Marva Whitney</a></li>\n<li><a href="#boogie-back-by-roy-ayers">"Boogie Back" by Roy Ayers</a></li>\n<li><a href="#feel-good-by-fancy">"Feel Good" by Fancy</a></li>\n<li><a href="#funky-drummer-by-james-brown">"Funky Drummer" by James Brown</a></li>\n<li><a href="#ruthless-villain-by-eazy-e">"Ruthless Villain" by Eazy-E</a></li>\n</ul>) | |
109 | expected = %(<ul class="section-nav">\n<li><a href="#funky-president-by-james-brown">"Funky President" by James Brown</a></li>\n<li><a href="#its-my-thing-by-marva-whitney">"It's My Thing" by Marva Whitney</a></li>\n<li><a href="#boogie-back-by-roy-ayers">"Boogie Back" by Roy Ayers</a></li>\n<li><a href="#feel-good-by-fancy">"Feel Good" by Fancy</a></li>\n<li><a href="#funky-drummer-by-james-brown">"Funky Drummer" by James Brown</a></li>\n<li><a href="#ruthless-villain-by-eazy-e">"Ruthless Villain" by Eazy-E</a></li>\n</ul>) | |
104 | 110 | |
105 | 111 | assert_equal expected, toc |
106 | 112 | end |