FIX: Only wrap inline html tags in <p>

This commit is contained in:
Robin Ward 2013-10-18 15:20:27 -04:00
parent 715a6d177a
commit d7182d0b14
13 changed files with 23 additions and 56 deletions

View File

@ -1,8 +1,18 @@
/** /**
If a row begins with HTML tags, don't parse it. If a row begins with HTML tags, don't parse it.
**/ **/
var blockTags = ['address', 'article', 'aside', 'audio', 'blockquote', 'canvas', 'dd', 'div',
'dl', 'fieldset', 'figcaption', 'figure', 'footer', 'form', 'h1', 'h2', 'h3',
'h4', 'h5', 'h6', 'header', 'hgroup', 'hr', 'noscript', 'ol', 'output',
'p', 'pre', 'section', 'table', 'tfoot', 'ul', 'video'];
Discourse.Dialect.registerBlock('html', function(block, next) { Discourse.Dialect.registerBlock('html', function(block, next) {
if (block.match(/^<[^>]+\>/)) {
var m = /^<([^>]+)\>/.exec(block);
if (m && m[1]) {
var tag = m[1].split(/\s/);
if (tag && tag[0] && blockTags.indexOf(tag[0]) !== -1) {
return [ block.toString() ]; return [ block.toString() ];
} }
}
}); });

View File

@ -32,7 +32,7 @@ describe PrettyText do
end end
it "should sanitize the html" do it "should sanitize the html" do
PrettyText.cook("<script>alert(42)</script>").should match_html "" PrettyText.cook("<script>alert(42)</script>").should match_html "<p></p>"
end end
it 'should allow for @mentions to have punctuation' do it 'should allow for @mentions to have punctuation' do

View File

@ -56,6 +56,14 @@ test("Line Breaks", function() {
"it handles new lines correctly with [] options"); "it handles new lines correctly with [] options");
}); });
test("Paragraphs for HTML", function() {
cooked("<div>hello world</div>", "<div>hello world</div>", "it doesn't surround <div> with paragraphs");
cooked("<p>hello world</p>", "<p>hello world</p>", "it doesn't surround <p> with paragraphs");
cooked("<i>hello world</i>", "<p><i>hello world</i></p>", "it surrounds inline <i> html tags with paragraphs");
cooked("<b>hello world</b>", "<p><b>hello world</b></p>", "it surrounds inline <b> html tags with paragraphs");
});
test("Links", function() { test("Links", function() {
cooked("EvilTrout: http://eviltrout.com", cooked("EvilTrout: http://eviltrout.com",
@ -300,7 +308,7 @@ test("sanitize", function() {
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking"); cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>", cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",
"<a href=\"http://disneyland.disney.go.com/\">disney</a> <a href=\"http://reddit.com\">reddit</a>", "<p><a href=\"http://disneyland.disney.go.com/\">disney</a> <a href=\"http://reddit.com\">reddit</a></p>",
"we can embed proper links"); "we can embed proper links");
}); });

View File

@ -1,8 +1,3 @@
<!--
Changed for Discourse:
- Our HTML sanitizer escapes > as &gt; even though Markdown doesn't specify that.
-->
<p>AT&amp;T has an ampersand in their name.</p> <p>AT&amp;T has an ampersand in their name.</p>
<p>AT&amp;T is another way to write it.</p> <p>AT&amp;T is another way to write it.</p>

View File

@ -1,10 +1,3 @@
<!--
Changed for Discourse:
- Our HTML sanitizer escapes quotes " as &quot;
- Our sanitizer has not whitelisted attr attributes in `span`s
- Our sanitizer replaces backticks with &#x60; in code blocks
-->
<p>These should all get escaped:</p> <p>These should all get escaped:</p>
<p>Backslash: \</p> <p>Backslash: \</p>

View File

@ -1,8 +1,3 @@
<!--
Changed for Discourse:
- Our HTML sanitizer escapes quotes " as &quot;
-->
<blockquote> <blockquote>
<p>Example:</p> <p>Example:</p>

View File

@ -1,10 +1,3 @@
<!--
Changed for Discourse:
- Our HTML sanitizer escapes quotes " as &quot;
- Our sanitizer has not whitelisted attr attributes in `span`s
- Our sanitizer replaces backticks with &#x60;
-->
<p><code>&lt;test a=&quot;</code> content of attribute <code>&quot;&gt;</code></p> <p><code>&lt;test a=&quot;</code> content of attribute <code>&quot;&gt;</code></p>
<p>Fix for backticks within HTML tag: <span>like this</span></p> <p>Fix for backticks within HTML tag: <span>like this</span></p>

View File

@ -1,9 +1,3 @@
<!--
Changed for Discourse:
- Our HTML sanitizer removes the style tag
- It removes id and classes.
-->
<p>Simple block on one line:</p> <p>Simple block on one line:</p>
<div>foo</div> <div>foo</div>

View File

@ -1,8 +1,3 @@
<!--
Changed for Discourse:
- It removes id and classes.
-->
<p>Here's a simple block:</p> <p>Here's a simple block:</p>
<div> <div>

View File

@ -1,8 +1,3 @@
<!--
Changed for Discourse:
- Our HTML sanitizer puts &#39; in attributes
-->
<p>Just a <a href="/url/">URL</a>.</p> <p>Just a <a href="/url/">URL</a>.</p>
<p><a href="/url/" title="title">URL and title</a>.</p> <p><a href="/url/" title="title">URL and title</a>.</p>

View File

@ -1,8 +1,3 @@
<!--
Changed for Discourse:
- Sanitized elements and entities
-->
<h1>Markdown: Basics</h1> <h1>Markdown: Basics</h1>
<ul> <ul>

View File

@ -1,8 +1,3 @@
<!--
Changed for Discourse:
- Sanitized elements and entities
-->
<h1>Markdown: Syntax</h1> <h1>Markdown: Syntax</h1>
<ul> <ul>

View File

@ -19,7 +19,6 @@ var md = function(input, expected, text) {
expectedNorm = normalize(expected), expectedNorm = normalize(expected),
same = (result === expected) || (resultNorm === expectedNorm); same = (result === expected) || (resultNorm === expectedNorm);
if (same) { if (same) {
ok(same, text); ok(same, text);
} else { } else {
@ -42,7 +41,7 @@ test("first", function(){
filename = Pathname.new(filename_no_ext) filename = Pathname.new(filename_no_ext)
text = File.read(f) text = File.read(f)
html = File.read("#{filename_no_ext}.xhtml").gsub(/\<\!\-\-(.*?)\-\-\>/m, '') html = File.read("#{filename_no_ext}.xhtml");
result << "test(\"#{filename}\", function() { md(#{text.to_json}, #{html.to_json}, 'passes MDTest'); });\n" result << "test(\"#{filename}\", function() { md(#{text.to_json}, #{html.to_json}, 'passes MDTest'); });\n"
end end
result result