consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #4067 from consul/links_and_images_on_legislation

Browse Source 
Allow links and images on legislation drafts
This commit is contained in:
Javier Martín
2020-08-10 13:45:48 +02:00
committed by GitHub
parent b2a07121e3 151aa6009d
commit 5d43b632e9
4 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/helpers/application_helper.rb
View File

@@ -25,7 +25,7 @@ module ApplicationHelper
superscript: true superscript: true
} }
sanitize(Redcarpet::Markdown.new(renderer, extensions).render(text)) AdminLegislationSanitizer.new.sanitize(Redcarpet::Markdown.new(renderer, extensions).render(text))
end end
def wysiwyg(text) def wysiwyg(text)

4
app/views/legislation/draft_versions/show.html.erb
View File

@@ -57,7 +57,7 @@
<div data-sticky-container> <div data-sticky-container>
<div data-sticky data-anchor="sticky-panel" class="draft-index sticky" data-tree-navigator> <div data-sticky data-anchor="sticky-panel" class="draft-index sticky" data-tree-navigator>
<%= sanitize(@draft_version.toc_html) %> <%= AdminLegislationSanitizer.new.sanitize(@draft_version.toc_html) %>
</div> </div>
</div> </div>
</div> </div>
@@ -74,7 +74,7 @@
data-legislation-annotatable-base-url="<%= legislation_process_draft_version_path(@process, @draft_version) %>" data-legislation-annotatable-base-url="<%= legislation_process_draft_version_path(@process, @draft_version) %>"
data-legislation-open-phase="<%= @process.allegations_phase.open? %>"> data-legislation-open-phase="<%= @process.allegations_phase.open? %>">
<% end %> <% end %>
<%= sanitize(@draft_version.body_html, { attributes: ["id"] }) %> <%= AdminLegislationSanitizer.new.sanitize(@draft_version.body_html) %>
</section> </section>
</div> </div>
</div> </div>

9
lib/admin_legislation_sanitizer.rb Normal file
View File

@@ -0,0 +1,9 @@
class AdminLegislationSanitizer < WYSIWYGSanitizer
def allowed_tags
super + %w[img h1 h4 h5 h6]
end
def allowed_attributes
super + %w[alt src id]
end
end

7
spec/system/xss_spec.rb
View File

@@ -164,12 +164,15 @@ describe "Cross-Site Scripting protection", :js do
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
end end
scenario "legislation version body filters script tags but not header IDs" do scenario "legislation version body filters script tags but not header IDs nor tags like images" do
version = create(:legislation_draft_version, :published, body: "# Title 1\n#{attack_code}") markdown = "# Title 1\n<a href='https://domain.com/url'>link</a><img src='/image.png'>"
version = create(:legislation_draft_version, :published, body: "#{markdown}#{attack_code}")
visit legislation_process_draft_version_path(version.process, version) visit legislation_process_draft_version_path(version.process, version)
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
expect(page).to have_css "h1#title-1", text: "Title 1" expect(page).to have_css "h1#title-1", text: "Title 1"
expect(page).to have_link "link", href: "https://domain.com/url"
expect(page).to have_css('img[src="/image.png"')
end end
end end