consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow links and images on legislation drafts

Browse Source 
Note we're using a new sanitizer. Ideally we'd reuse the
`AdminWYSIWYGSanitizer`, but then code that would be correctly shown by
markdown-it (like the <h1> tag) wouldn't be shown on the web, which is
confusing. Ideally we would configure markdown-it to only allow the tags
present in the `AdminWYSIWYGSanitizer` and provide some kind of help
showing which tags are allowed.
This commit is contained in:
Julian Herrero
2020-07-25 12:42:19 +07:00
committed by Javi Martín
parent b2a07121e3
commit 151aa6009d
4 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/helpers/application_helper.rb
View File

@@ -25,7 +25,7 @@ module ApplicationHelper
superscript: true superscript: true
} }
sanitize(Redcarpet::Markdown.new(renderer, extensions).render(text)) AdminLegislationSanitizer.new.sanitize(Redcarpet::Markdown.new(renderer, extensions).render(text))
end end
def wysiwyg(text) def wysiwyg(text)

4
app/views/legislation/draft_versions/show.html.erb
View File

@@ -57,7 +57,7 @@
<div data-sticky-container> <div data-sticky-container>
<div data-sticky data-anchor="sticky-panel" class="draft-index sticky" data-tree-navigator> <div data-sticky data-anchor="sticky-panel" class="draft-index sticky" data-tree-navigator>
<%= sanitize(@draft_version.toc_html) %> <%= AdminLegislationSanitizer.new.sanitize(@draft_version.toc_html) %>
</div> </div>
</div> </div>
</div> </div>
@@ -74,7 +74,7 @@
data-legislation-annotatable-base-url="<%= legislation_process_draft_version_path(@process, @draft_version) %>" data-legislation-annotatable-base-url="<%= legislation_process_draft_version_path(@process, @draft_version) %>"
data-legislation-open-phase="<%= @process.allegations_phase.open? %>"> data-legislation-open-phase="<%= @process.allegations_phase.open? %>">
<% end %> <% end %>
<%= sanitize(@draft_version.body_html, { attributes: ["id"] }) %> <%= AdminLegislationSanitizer.new.sanitize(@draft_version.body_html) %>
</section> </section>
</div> </div>
</div> </div>

9
lib/admin_legislation_sanitizer.rb Normal file
View File

@@ -0,0 +1,9 @@
class AdminLegislationSanitizer < WYSIWYGSanitizer
def allowed_tags
super + %w[img h1 h4 h5 h6]
end
def allowed_attributes
super + %w[alt src id]
end
end

7
spec/system/xss_spec.rb
View File

@@ -164,12 +164,15 @@ describe "Cross-Site Scripting protection", :js do
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
end end
scenario "legislation version body filters script tags but not header IDs" do scenario "legislation version body filters script tags but not header IDs nor tags like images" do
version = create(:legislation_draft_version, :published, body: "# Title 1\n#{attack_code}") markdown = "# Title 1\n<a href='https://domain.com/url'>link</a><img src='/image.png'>"
version = create(:legislation_draft_version, :published, body: "#{markdown}#{attack_code}")
visit legislation_process_draft_version_path(version.process, version) visit legislation_process_draft_version_path(version.process, version)
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
expect(page).to have_css "h1#title-1", text: "Title 1" expect(page).to have_css "h1#title-1", text: "Title 1"
expect(page).to have_link "link", href: "https://domain.com/url"
expect(page).to have_css('img[src="/image.png"')
end end
end end