Make Pipelines responsible for defining their custom whitelist
This allows for future pipelines to more easily define a custom whitelist.
This commit is contained in:
parent
1731f45e2b
commit
47982e50c4
4 changed files with 50 additions and 31 deletions
|
@ -8,14 +8,7 @@ module Banzai
|
|||
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
|
||||
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
|
||||
def whitelist
|
||||
# Descriptions are more heavily sanitized, allowing only a few elements.
|
||||
# See http://git.io/vkuAN
|
||||
if context[:inline_sanitization]
|
||||
whitelist = LIMITED
|
||||
whitelist[:elements] -= %w(pre code img ol ul li)
|
||||
else
|
||||
whitelist = super
|
||||
end
|
||||
|
||||
customize_whitelist(whitelist)
|
||||
|
||||
|
|
|
@ -4,9 +4,20 @@ module Banzai
|
|||
def self.transform_context(context)
|
||||
super(context).merge(
|
||||
# SanitizationFilter
|
||||
inline_sanitization: true
|
||||
whitelist: whitelist
|
||||
)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def self.whitelist
|
||||
# Descriptions are more heavily sanitized, allowing only a few elements.
|
||||
# See http://git.io/vkuAN
|
||||
whitelist = Banzai::Filter::SanitizationFilter::LIMITED
|
||||
whitelist[:elements] -= %w(pre code img ol ul li)
|
||||
|
||||
whitelist
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -177,26 +177,4 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
|
|||
expect(act.to_html).to eq exp
|
||||
end
|
||||
end
|
||||
|
||||
context 'when inline_sanitization is true' do
|
||||
it 'uses a stricter whitelist' do
|
||||
doc = filter('<h1>Description</h1>', inline_sanitization: true)
|
||||
expect(doc.to_html.strip).to eq 'Description'
|
||||
end
|
||||
|
||||
%w(pre code img ol ul li).each do |elem|
|
||||
it "removes '#{elem}' elements" do
|
||||
act = "<#{elem}>Description</#{elem}>"
|
||||
expect(filter(act, inline_sanitization: true).to_html.strip).
|
||||
to eq 'Description'
|
||||
end
|
||||
end
|
||||
|
||||
%w(b i strong em a ins del sup sub p).each do |elem|
|
||||
it "still allows '#{elem}' elements" do
|
||||
exp = act = "<#{elem}>Description</#{elem}>"
|
||||
expect(filter(act, inline_sanitization: true).to_html).to eq exp
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
37
spec/lib/banzai/pipeline/description_pipeline_spec.rb
Normal file
37
spec/lib/banzai/pipeline/description_pipeline_spec.rb
Normal file
|
@ -0,0 +1,37 @@
|
|||
require 'rails_helper'
|
||||
|
||||
describe Banzai::Pipeline::DescriptionPipeline do
|
||||
def parse(html)
|
||||
# When we pass HTML to Redcarpet, it gets wrapped in `p` tags...
|
||||
# ...except when we pass it pre-wrapped text. Rabble rabble.
|
||||
unwrap = !html.start_with?('<p>')
|
||||
|
||||
output = described_class.to_html(html, project: spy)
|
||||
|
||||
output.gsub!(%r{\A<p>(.*)</p>(.*)\z}, '\1\2') if unwrap
|
||||
|
||||
output
|
||||
end
|
||||
|
||||
it 'uses a limited whitelist' do
|
||||
doc = parse('# Description')
|
||||
|
||||
expect(doc.strip).to eq 'Description'
|
||||
end
|
||||
|
||||
%w(pre code img ol ul li).each do |elem|
|
||||
it "removes '#{elem}' elements" do
|
||||
act = "<#{elem}>Description</#{elem}>"
|
||||
|
||||
expect(parse(act).strip).to eq 'Description'
|
||||
end
|
||||
end
|
||||
|
||||
%w(b i strong em a ins del sup sub p).each do |elem|
|
||||
it "still allows '#{elem}' elements" do
|
||||
exp = act = "<#{elem}>Description</#{elem}>"
|
||||
|
||||
expect(parse(act).strip).to eq exp
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue