Clean up sanitization code
- remove html table test, this is soon to be deprecated - move sanitization tests into pretty text.rb - fix up whitelister so it makes a copy of options
This commit is contained in:
parent
febfe27669
commit
8967d50dc2
|
@ -151,13 +151,12 @@ export function setup(opts, siteSettings, state) {
|
|||
opts.setup = true;
|
||||
|
||||
if (!opts.discourse.sanitizer) {
|
||||
opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? sanitize : a=>a;
|
||||
const whiteLister = new WhiteLister(opts.discourse);
|
||||
opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? a=>sanitize(a, whiteLister) : a=>a;
|
||||
}
|
||||
}
|
||||
|
||||
export function cook(raw, opts) {
|
||||
const whiteLister = new WhiteLister(opts.discourse);
|
||||
|
||||
// we still have to hoist html_raw nodes so they bypass the whitelister
|
||||
// this is the case for oneboxes
|
||||
let hoisted = {};
|
||||
|
@ -165,7 +164,7 @@ export function cook(raw, opts) {
|
|||
opts.discourse.hoisted = hoisted;
|
||||
|
||||
const rendered = opts.engine.render(raw);
|
||||
let cooked = opts.discourse.sanitizer(rendered, whiteLister).trim();
|
||||
let cooked = opts.discourse.sanitizer(rendered).trim();
|
||||
|
||||
const keys = Object.keys(hoisted);
|
||||
if (keys.length) {
|
||||
|
|
|
@ -25,7 +25,7 @@ export default class WhiteLister {
|
|||
this._featureKeys = Object.keys(options.features).filter(f => options.features[f]);
|
||||
this._key = this._featureKeys.join(':');
|
||||
this._features = options.features;
|
||||
this._options = {};
|
||||
this._options = options;
|
||||
}
|
||||
|
||||
getCustom() {
|
||||
|
|
|
@ -440,21 +440,6 @@ HTML
|
|||
expect(PrettyText.cook(raw)).to match_html(cooked)
|
||||
end
|
||||
|
||||
describe 'tables' do
|
||||
it 'allows table html' do
|
||||
SiteSetting.allow_html_tables = true
|
||||
table = "<table class='fa-spin'><thead><tr>\n<th class='fa-spin'>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
|
||||
match = "<table class=\"md-table\"><thead><tr> <th>test</th> </tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
|
||||
expect(PrettyText.cook(table)).to match_html(match)
|
||||
end
|
||||
|
||||
it 'allows no tables when not enabled' do
|
||||
SiteSetting.allow_html_tables = false
|
||||
table = "<table><thead><tr><th>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
|
||||
expect(PrettyText.cook(table)).to match_html("")
|
||||
end
|
||||
end
|
||||
|
||||
describe "emoji" do
|
||||
it "replaces unicode emoji with our emoji sets if emoji is enabled" do
|
||||
expect(PrettyText.cook("💣")).to match(/\:bomb\:/)
|
||||
|
@ -518,10 +503,6 @@ HTML
|
|||
SiteSetting.enable_experimental_markdown_it = true
|
||||
end
|
||||
|
||||
after do
|
||||
SiteSetting.enable_experimental_markdown_it = false
|
||||
end
|
||||
|
||||
# it "replaces skin toned emoji" do
|
||||
# expect(PrettyText.cook("hello 👱🏿♀️")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/blonde_woman/6.png?v=5\" title=\":blonde_woman:t6:\" class=\"emoji\" alt=\":blonde_woman:t6:\"></p>")
|
||||
# expect(PrettyText.cook("hello 👩🎤")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/woman_singer.png?v=5\" title=\":woman_singer:\" class=\"emoji\" alt=\":woman_singer:\"></p>")
|
||||
|
@ -530,6 +511,20 @@ HTML
|
|||
# end
|
||||
#
|
||||
|
||||
it "supports href schemes" do
|
||||
SiteSetting.allowed_href_schemes = "macappstore|steam"
|
||||
cooked = cook("[Steam URL Scheme](steam://store/452530)")
|
||||
expected = '<p><a href="steam://store/452530" rel="nofollow noopener">Steam URL Scheme</a></p>'
|
||||
expect(cooked).to eq(n expected)
|
||||
end
|
||||
|
||||
it "supports forbidden schemes" do
|
||||
SiteSetting.allowed_href_schemes = "macappstore|itunes"
|
||||
cooked = cook("[Steam URL Scheme](steam://store/452530)")
|
||||
expected = '<p><a>Steam URL Scheme</a></p>'
|
||||
expect(cooked).to eq(n expected)
|
||||
end
|
||||
|
||||
it "produces tag links" do
|
||||
Fabricate(:topic, {tags: [Fabricate(:tag, name: 'known')]})
|
||||
expect(PrettyText.cook("x #unknown::tag #known::tag")).to match_html("<p>x <span class=\"hashtag\">#unknown::tag</span> <a class=\"hashtag\" href=\"http://test.localhost/tags/known\">#<span>known</span></a></p>")
|
||||
|
|
|
@ -73,11 +73,3 @@ function md(assert, input, expected, text, settings) {
|
|||
%>
|
||||
|
||||
<%= mdtest_suite %>
|
||||
|
||||
test("whitelisted url scheme", function(assert) {
|
||||
md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a href="steam://store/452530">Steam URL Scheme</a></p>', 'whitelists the steam url', {allowed_href_schemes: "macappstore|steam"});
|
||||
});
|
||||
|
||||
test("forbidden url scheme", function(assert) {
|
||||
md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a>Steam URL Scheme</a></p>', 'removes the href', {allowed_href_schemes: "macappstore|itunes"});
|
||||
});
|
||||
|
|
Loading…
Reference in New Issue