Skip to content

Commit

Permalink
markdown_erb needs to sanitize html too (#3675)
Browse files Browse the repository at this point in the history
markdown_erb needs to sanitize html too.
  • Loading branch information
johrstrom committed Oct 16, 2024
1 parent 6361dd7 commit fcd0b7e
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 17 deletions.
14 changes: 14 additions & 0 deletions apps/dashboard/app/models/motd_formatter/base_formatter.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
module MotdFormatter

class BaseFormatter
include ActionView::Helpers::SanitizeHelper

def safe_content(content)
if Configuration.motd_render_html?
content.html_safe
else
sanitize(content)
end
end
end
end
13 changes: 1 addition & 12 deletions apps/dashboard/app/models/motd_formatter/markdown.rb
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
module MotdFormatter
# Utility class for rendering Markdown MOTD files.
class Markdown

include ActionView::Helpers::SanitizeHelper

class Markdown < BaseFormatter
attr_reader :content, :title

# @param [MotdFile] motd_file an MotdFile object that contains a URI path to a message of the day in OSC format
Expand All @@ -17,13 +14,5 @@ def initialize(motd_file)
def to_partial_path
"dashboard/motd_markdown"
end

def safe_content(content)
if Configuration.motd_render_html?
content.html_safe
else
sanitize(content)
end
end
end
end
13 changes: 8 additions & 5 deletions apps/dashboard/app/models/motd_formatter/markdown_erb.rb
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
# frozen_string_literal: true

module MotdFormatter
# Utility class for rendering Markdown MOTD files after ERB rendering them.
class MarkdownErb
class MarkdownErb < BaseFormatter
attr_reader :content, :title

def initialize(motd_file)
motd_file ||= MotdFile.new unless motd_file
@title = motd_file.title
@content = OodAppkit.markdown.render(ERB.new(motd_file.content).result)
content = OodAppkit.markdown.render(ERB.new(motd_file.content).result)
@content = safe_content(content)
end

def to_partial_path
"dashboard/motd_markdown"
'dashboard/motd_markdown'
end
end
end
end
3 changes: 3 additions & 0 deletions apps/dashboard/test/fixtures/files/motd_md_erb_w_html
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Some Markdown file

<script>var msg = 'this was a <%= 'script' %>';</script>
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,38 @@ class MotdFormatterMarkdownErbTest < ActiveSupport::TestCase

assert_not_nil formatted_motd.content
end

test 'content is html safe by default' do
path = "#{Rails.root}/test/fixtures/files/motd_md_erb_w_html"
motd = MotdFile.new(path)
formatted_motd = MotdFormatterMarkdownErb.new(motd)
content = formatted_motd.content

expected_content = "<h1>Some Markdown file</h1>\n" \
"\n" \
"var msg = 'this was a script';\n"

assert_not_nil(content)
assert_equal(expected_content, content)
end

# this test is very similar to above, but the content
# has a <script> tag still in it.
test 'content can contain html if configured' do
Configuration.stubs(:motd_render_html).returns(true)

path = "#{Rails.root}/test/fixtures/files/motd_md_erb_w_html"
motd = MotdFile.new(path)
formatted_motd = MotdFormatterMarkdownErb.new(motd)
content = formatted_motd.content

expected_content = "<h1>Some Markdown file</h1>\n" \
"\n" \
"<script>var msg = 'this was a script';</script>\n"

assert_not_nil(content)
assert_equal(expected_content, content)
end

end

0 comments on commit fcd0b7e

Please sign in to comment.