Update upstream source from tag 'upstream/2.8.4'
Update to upstream version '2.8.4'
with Debian dir 79662d240f2e096927d4e593ab77130a633be98c
Lucas Kanashiro
5 years ago
| 15 | 15 | gem 'minitest' |
| 16 | 16 | gem 'RedCloth', '~> 4.2.9', require: false |
| 17 | 17 | gem 'rinku', '~> 1.7', require: false |
| 18 | gem 'sanitize', '~> 2.0', require: false | |
| 18 | gem 'sanitize', '~> 4.6', require: false | |
| 19 | 19 | |
| 20 | 20 | gem 'escape_utils', '~> 1.0', require: false |
| 21 | 21 | gem 'rouge', '~> 3.1', require: false |
| 185 | 185 | * `PlainTextInputFilter` - `escape_utils` |
| 186 | 186 | * `SanitizationFilter` - `sanitize` |
| 187 | 187 | * `SyntaxHighlightFilter` - `rouge` |
| 188 | * `TableOfContentsFilter` - `escape_utils` | |
| 188 | 189 | * `TextileFilter` - `RedCloth` |
| 189 | 190 | |
| 190 | 191 | _Note:_ See [Gemfile](/Gemfile) `:test` block for version requirements. |
| 40 | 40 | elements: %w[ |
| 41 | 41 | h1 h2 h3 h4 h5 h6 h7 h8 br b i strong em a pre code img tt |
| 42 | 42 | div ins del sup sub p ol ul table thead tbody tfoot blockquote |
| 43 | dl dt dd kbd q samp var hr ruby rt rp li tr td th s strike summary details | |
| 44 | ], | |
| 45 | remove_contents: ['script'], | |
| 43 | dl dt dd kbd q samp var hr ruby rt rp li tr td th s strike summary | |
| 44 | details caption figure figcaption | |
| 45 | ].freeze, | |
| 46 | remove_contents: ['script'].freeze, | |
| 46 | 47 | attributes: { |
| 47 | 'a' => ['href'], | |
| 48 | 'img' => %w[src longdesc], | |
| 49 | 'div' => %w[itemscope itemtype], | |
| 50 | 'blockquote' => ['cite'], | |
| 51 | 'del' => ['cite'], | |
| 52 | 'ins' => ['cite'], | |
| 53 | 'q' => ['cite'], | |
| 54 | :all => ['abbr', 'accept', 'accept-charset', | |
| 55 | 'accesskey', 'action', 'align', 'alt', 'axis', | |
| 56 | 'border', 'cellpadding', 'cellspacing', 'char', | |
| 57 | 'charoff', 'charset', 'checked', | |
| 58 | 'clear', 'cols', 'colspan', 'color', | |
| 59 | 'compact', 'coords', 'datetime', 'dir', | |
| 60 | 'disabled', 'enctype', 'for', 'frame', | |
| 61 | 'headers', 'height', 'hreflang', | |
| 62 | 'hspace', 'ismap', 'label', 'lang', | |
| 63 | 'maxlength', 'media', 'method', | |
| 64 | 'multiple', 'name', 'nohref', 'noshade', | |
| 65 | 'nowrap', 'open', 'prompt', 'readonly', 'rel', 'rev', | |
| 66 | 'rows', 'rowspan', 'rules', 'scope', | |
| 67 | 'selected', 'shape', 'size', 'span', | |
| 68 | 'start', 'summary', 'tabindex', 'target', | |
| 69 | 'title', 'type', 'usemap', 'valign', 'value', | |
| 70 | 'vspace', 'width', 'itemprop'] | |
| 71 | }, | |
| 48 | 'a' => ['href'].freeze, | |
| 49 | 'img' => %w[src longdesc].freeze, | |
| 50 | 'div' => %w[itemscope itemtype].freeze, | |
| 51 | 'blockquote' => ['cite'].freeze, | |
| 52 | 'del' => ['cite'].freeze, | |
| 53 | 'ins' => ['cite'].freeze, | |
| 54 | 'q' => ['cite'].freeze, | |
| 55 | all: %w[abbr accept accept-charset | |
| 56 | accesskey action align alt | |
| 57 | aria-describedby aria-hidden aria-label aria-labelledby | |
| 58 | axis border cellpadding cellspacing char | |
| 59 | charoff charset checked | |
| 60 | clear cols colspan color | |
| 61 | compact coords datetime dir | |
| 62 | disabled enctype for frame | |
| 63 | headers height hreflang | |
| 64 | hspace ismap label lang | |
| 65 | maxlength media method | |
| 66 | multiple name nohref noshade | |
| 67 | nowrap open prompt readonly rel rev | |
| 68 | rows rowspan rules scope | |
| 69 | selected shape size span | |
| 70 | start summary tabindex target | |
| 71 | title type usemap valign value | |
| 72 | vspace width itemprop].freeze | |
| 73 | }.freeze, | |
| 72 | 74 | protocols: { |
| 73 | 75 | 'a' => { 'href' => ANCHOR_SCHEMES }, |
| 74 | 'blockquote' => { 'cite' => ['http', 'https', :relative] }, | |
| 75 | 'del' => { 'cite' => ['http', 'https', :relative] }, | |
| 76 | 'ins' => { 'cite' => ['http', 'https', :relative] }, | |
| 77 | 'q' => { 'cite' => ['http', 'https', :relative] }, | |
| 76 | 'blockquote' => { 'cite' => ['http', 'https', :relative].freeze }, | |
| 77 | 'del' => { 'cite' => ['http', 'https', :relative].freeze }, | |
| 78 | 'ins' => { 'cite' => ['http', 'https', :relative].freeze }, | |
| 79 | 'q' => { 'cite' => ['http', 'https', :relative].freeze }, | |
| 78 | 80 | 'img' => { |
| 79 | 'src' => ['http', 'https', :relative], | |
| 80 | 'longdesc' => ['http', 'https', :relative] | |
| 81 | } | |
| 81 | 'src' => ['http', 'https', :relative].freeze, | |
| 82 | 'longdesc' => ['http', 'https', :relative].freeze | |
| 83 | }.freeze | |
| 82 | 84 | }, |
| 83 | 85 | transformers: [ |
| 84 | 86 | # Top-level <li> elements are removed because they can break out of |
| 99 | 101 | node.replace(node.children) |
| 100 | 102 | end |
| 101 | 103 | } |
| 102 | ] | |
| 104 | ].freeze | |
| 103 | 105 | }.freeze |
| 104 | 106 | |
| 105 | 107 | # A more limited sanitization whitelist. This includes all attributes, |
| 0 | HTML::Pipeline.require_dependency('escape_utils', 'TableOfContentsFilter') | |
| 1 | ||
| 0 | 2 | module HTML |
| 1 | 3 | class Pipeline |
| 2 | 4 | # HTML filter that adds an 'id' attribute to all headers |
| 42 | 44 | uniq = headers[id] > 0 ? "-#{headers[id]}" : '' |
| 43 | 45 | headers[id] += 1 |
| 44 | 46 | if header_content = node.children.first |
| 45 | result[:toc] << %(<li><a href="##{id}#{uniq}">#{text}</a></li>\n) | |
| 47 | result[:toc] << %(<li><a href="##{id}#{uniq}">#{EscapeUtils.escape_html(text)}</a></li>\n) | |
| 46 | 48 | header_content.add_previous_sibling(%(<a id="#{id}#{uniq}" class="anchor" href="##{id}#{uniq}" aria-hidden="true">#{anchor_icon}</a>)) |
| 47 | 49 | end |
| 48 | 50 | end |
| 0 | 0 | module HTML |
| 1 | 1 | class Pipeline |
| 2 | VERSION = '2.8.0'.freeze | |
| 2 | VERSION = '2.8.4'.freeze | |
| 3 | 3 | end |
| 4 | 4 | end |
| 91 | 91 | assert_equal 6, doc.search('a').size |
| 92 | 92 | end |
| 93 | 93 | |
| 94 | def test_toc_outputs_escaped_html | |
| 95 | @orig = %(<h1><img src="x" onerror="alert(42)"></h1>) | |
| 96 | ||
| 97 | refute_includes toc, %(<img src="x" onerror="alert(42)">) | |
| 98 | end | |
| 99 | ||
| 94 | 100 | def test_toc_is_complete |
| 95 | 101 | @orig = %(<h1>"Funky President" by James Brown</h1> |
| 96 | 102 | <h2>"It's My Thing" by Marva Whitney</h2> |
| 100 | 106 | <h6>"Ruthless Villain" by Eazy-E</h6> |
| 101 | 107 | <h7>"Be Thankful for What You Got" by William DeVaughn</h7>) |
| 102 | 108 | |
| 103 | expected = %(<ul class="section-nav">\n<li><a href="#funky-president-by-james-brown">"Funky President" by James Brown</a></li>\n<li><a href="#its-my-thing-by-marva-whitney">"It's My Thing" by Marva Whitney</a></li>\n<li><a href="#boogie-back-by-roy-ayers">"Boogie Back" by Roy Ayers</a></li>\n<li><a href="#feel-good-by-fancy">"Feel Good" by Fancy</a></li>\n<li><a href="#funky-drummer-by-james-brown">"Funky Drummer" by James Brown</a></li>\n<li><a href="#ruthless-villain-by-eazy-e">"Ruthless Villain" by Eazy-E</a></li>\n</ul>) | |
| 109 | expected = %(<ul class="section-nav">\n<li><a href="#funky-president-by-james-brown">"Funky President" by James Brown</a></li>\n<li><a href="#its-my-thing-by-marva-whitney">"It's My Thing" by Marva Whitney</a></li>\n<li><a href="#boogie-back-by-roy-ayers">"Boogie Back" by Roy Ayers</a></li>\n<li><a href="#feel-good-by-fancy">"Feel Good" by Fancy</a></li>\n<li><a href="#funky-drummer-by-james-brown">"Funky Drummer" by James Brown</a></li>\n<li><a href="#ruthless-villain-by-eazy-e">"Ruthless Villain" by Eazy-E</a></li>\n</ul>) | |
| 104 | 110 | |
| 105 | 111 | assert_equal expected, toc |
| 106 | 112 | end |