From 2e8aa209f013d567bb3956a3e4201d3b2d63fe10 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Sun, 2 Apr 2017 17:39:41 +0000 Subject: Merge branch '30125-markdown-security' Remove class from SanitizationFilter whitelist See merge request !2079 --- spec/lib/banzai/filter/markdown_filter_spec.rb | 19 +++++++++++++++++++ spec/lib/banzai/filter/sanitization_filter_spec.rb | 7 ++++--- .../lib/banzai/filter/syntax_highlight_filter_spec.rb | 6 +++--- 3 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 spec/lib/banzai/filter/markdown_filter_spec.rb (limited to 'spec/lib/banzai') diff --git a/spec/lib/banzai/filter/markdown_filter_spec.rb b/spec/lib/banzai/filter/markdown_filter_spec.rb new file mode 100644 index 00000000000..897288b8ad5 --- /dev/null +++ b/spec/lib/banzai/filter/markdown_filter_spec.rb @@ -0,0 +1,19 @@ +require 'spec_helper' + +describe Banzai::Filter::MarkdownFilter, lib: true do + include FilterSpecHelper + + context 'code block' do + it 'adds language to lang attribute when specified' do + result = filter("```html\nsome code\n```") + + expect(result).to start_with("\n
")
+    end
+
+    it 'does not add language to lang attribute when not specified' do
+      result = filter("```\nsome code\n```")
+
+      expect(result).to start_with("\n
")
+    end
+  end
+end
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index b4cd5f63a15..fdbc65b5e00 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -49,11 +49,12 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
       instance = described_class.new('Foo')
       3.times { instance.whitelist }
 
-      expect(instance.whitelist[:transformers].size).to eq 5
+      expect(instance.whitelist[:transformers].size).to eq 4
     end
 
-    it 'allows syntax highlighting' do
-      exp = act = %q{
def
}
+    it 'sanitizes `class` attribute from all elements' do
+      act = %q{
<span class="k">def</span>
}
+      exp = %q{
<span class="k">def</span>
}
       expect(filter(act).to_html).to eq exp
     end
 
diff --git a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
index 63fb1bb25c4..f61fc8ceb9e 100644
--- a/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
+++ b/spec/lib/banzai/filter/syntax_highlight_filter_spec.rb
@@ -12,14 +12,14 @@ describe Banzai::Filter::SyntaxHighlightFilter, lib: true do
 
   context "when a valid language is specified" do
     it "highlights as that language" do
-      result = filter('
def fun end
')
+      result = filter('
def fun end
')
       expect(result.to_html).to eq('
def fun end
')
     end
   end
 
   context "when an invalid language is specified" do
     it "highlights as plaintext" do
-      result = filter('
This is a test
')
+      result = filter('
This is a test
')
       expect(result.to_html).to eq('
This is a test
')
     end
   end
@@ -30,7 +30,7 @@ describe Banzai::Filter::SyntaxHighlightFilter, lib: true do
     end
 
     it "highlights as plaintext" do
-      result = filter('
This is a test
')
+      result = filter('
This is a test
')
       expect(result.to_html).to eq('
This is a test
')
     end
   end
-- 
cgit v1.2.1