Make Pipelines responsible for defining their custom whitelist

This allows for future pipelines to more easily define a custom
whitelist.
This commit is contained in:
Robert Speicher 2016-02-03 17:19:54 -05:00
parent 1731f45e2b
commit 47982e50c4
4 changed files with 50 additions and 31 deletions

View file

@ -8,14 +8,7 @@ module Banzai
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
def whitelist
# Descriptions are more heavily sanitized, allowing only a few elements.
# See http://git.io/vkuAN
if context[:inline_sanitization]
whitelist = LIMITED
whitelist[:elements] -= %w(pre code img ol ul li)
else
whitelist = super
end
customize_whitelist(whitelist)

View file

@ -4,9 +4,20 @@ module Banzai
def self.transform_context(context)
super(context).merge(
# SanitizationFilter
inline_sanitization: true
whitelist: whitelist
)
end
private
def self.whitelist
# Descriptions are more heavily sanitized, allowing only a few elements.
# See http://git.io/vkuAN
whitelist = Banzai::Filter::SanitizationFilter::LIMITED
whitelist[:elements] -= %w(pre code img ol ul li)
whitelist
end
end
end
end

View file

@ -177,26 +177,4 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
expect(act.to_html).to eq exp
end
end
context 'when inline_sanitization is true' do
it 'uses a stricter whitelist' do
doc = filter('<h1>Description</h1>', inline_sanitization: true)
expect(doc.to_html.strip).to eq 'Description'
end
%w(pre code img ol ul li).each do |elem|
it "removes '#{elem}' elements" do
act = "<#{elem}>Description</#{elem}>"
expect(filter(act, inline_sanitization: true).to_html.strip).
to eq 'Description'
end
end
%w(b i strong em a ins del sup sub p).each do |elem|
it "still allows '#{elem}' elements" do
exp = act = "<#{elem}>Description</#{elem}>"
expect(filter(act, inline_sanitization: true).to_html).to eq exp
end
end
end
end

View file

@ -0,0 +1,37 @@
require 'rails_helper'
describe Banzai::Pipeline::DescriptionPipeline do
def parse(html)
# When we pass HTML to Redcarpet, it gets wrapped in `p` tags...
# ...except when we pass it pre-wrapped text. Rabble rabble.
unwrap = !html.start_with?('<p>')
output = described_class.to_html(html, project: spy)
output.gsub!(%r{\A<p>(.*)</p>(.*)\z}, '\1\2') if unwrap
output
end
it 'uses a limited whitelist' do
doc = parse('# Description')
expect(doc.strip).to eq 'Description'
end
%w(pre code img ol ul li).each do |elem|
it "removes '#{elem}' elements" do
act = "<#{elem}>Description</#{elem}>"
expect(parse(act).strip).to eq 'Description'
end
end
%w(b i strong em a ins del sup sub p).each do |elem|
it "still allows '#{elem}' elements" do
exp = act = "<#{elem}>Description</#{elem}>"
expect(parse(act).strip).to eq exp
end
end
end