Make Pipelines responsible for defining their custom whitelist

This allows for future pipelines to more easily define a custom whitelist.
2016-02-03 17:19:54 -05:00 · 2016-02-03 17:19:54 -05:00 · 47982e50c4
commit 47982e50c4
parent 1731f45e2b
4 changed files with 50 additions and 31 deletions
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@ -8,14 +8,7 @@ module Banzai
    # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
    class SanitizationFilter < HTML::Pipeline::SanitizationFilter
      def whitelist
-        # Descriptions are more heavily sanitized, allowing only a few elements.
-        # See http://git.io/vkuAN
-        if context[:inline_sanitization]
-          whitelist = LIMITED
-          whitelist[:elements] -= %w(pre code img ol ul li)
-        else
-          whitelist = super
-        end
+        whitelist = super

        customize_whitelist(whitelist)

--- a/lib/banzai/pipeline/description_pipeline.rb
+++ b/lib/banzai/pipeline/description_pipeline.rb
@ -4,9 +4,20 @@ module Banzai
      def self.transform_context(context)
        super(context).merge(
          # SanitizationFilter
-          inline_sanitization: true
+          whitelist: whitelist
        )
      end
+
+      private
+
+      def self.whitelist
+        # Descriptions are more heavily sanitized, allowing only a few elements.
+        # See http://git.io/vkuAN
+        whitelist = Banzai::Filter::SanitizationFilter::LIMITED
+        whitelist[:elements] -= %w(pre code img ol ul li)
+
+        whitelist
+      end
    end
  end
 end
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@ -177,26 +177,4 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
      expect(act.to_html).to eq exp
    end
  end
-
-  context 'when inline_sanitization is true' do
-    it 'uses a stricter whitelist' do
-      doc = filter('<h1>Description</h1>', inline_sanitization: true)
-      expect(doc.to_html.strip).to eq 'Description'
-    end
-
-    %w(pre code img ol ul li).each do |elem|
-      it "removes '#{elem}' elements" do
-        act = "<#{elem}>Description</#{elem}>"
-        expect(filter(act, inline_sanitization: true).to_html.strip).
-          to eq 'Description'
-      end
-    end
-
-    %w(b i strong em a ins del sup sub p).each do |elem|
-      it "still allows '#{elem}' elements" do
-        exp = act = "<#{elem}>Description</#{elem}>"
-        expect(filter(act, inline_sanitization: true).to_html).to eq exp
-      end
-    end
-  end
 end
--- a/spec/lib/banzai/pipeline/description_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/description_pipeline_spec.rb
@ -0,0 +1,37 @@
+require 'rails_helper'
+
+describe Banzai::Pipeline::DescriptionPipeline do
+  def parse(html)
+    # When we pass HTML to Redcarpet, it gets wrapped in `p` tags...
+    # ...except when we pass it pre-wrapped text. Rabble rabble.
+    unwrap = !html.start_with?('<p>')
+
+    output = described_class.to_html(html, project: spy)
+
+    output.gsub!(%r{\A<p>(.*)</p>(.*)\z}, '\1\2') if unwrap
+
+    output
+  end
+
+  it 'uses a limited whitelist' do
+    doc = parse('# Description')
+
+    expect(doc.strip).to eq 'Description'
+  end
+
+  %w(pre code img ol ul li).each do |elem|
+    it "removes '#{elem}' elements" do
+      act = "<#{elem}>Description</#{elem}>"
+
+      expect(parse(act).strip).to eq 'Description'
+    end
+  end
+
+  %w(b i strong em a ins del sup sub p).each do |elem|
+    it "still allows '#{elem}' elements" do
+      exp = act = "<#{elem}>Description</#{elem}>"
+
+      expect(parse(act).strip).to eq exp
+    end
+  end
+end