From 1d9687e621b1f01e34bbbf0e0b613d27a3922946 Mon Sep 17 00:00:00 2001 From: Jens Kraemer Date: Wed, 23 Oct 2019 05:20:59 +0000 Subject: [PATCH] adds an additional Markdown format that allows user-entered HTML - the rendering result is sanitized using the Rails HTML sanitizer --- lib/redmine.rb | 5 +- .../wiki_formatting/markdown_html/formatter.rb | 87 +++++++++ .../wiki_formatting/markdown_html/helper.rb | 26 +++ .../wiki_formatting/markdown_html/html_parser.rb | 26 +++ test/helpers/application_helper_test.rb | 15 ++ .../markdown_html_formatter_test.rb | 200 +++++++++++++++++++++ 6 files changed, 358 insertions(+), 1 deletion(-) create mode 100644 lib/redmine/wiki_formatting/markdown_html/formatter.rb create mode 100644 lib/redmine/wiki_formatting/markdown_html/helper.rb create mode 100644 lib/redmine/wiki_formatting/markdown_html/html_parser.rb create mode 100644 test/unit/lib/redmine/wiki_formatting/markdown_html_formatter_test.rb diff --git a/lib/redmine.rb b/lib/redmine.rb index f1d5c85c5..0423ac0e7 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -326,7 +326,10 @@ end Redmine::WikiFormatting.map do |format| format.register :textile - format.register :markdown if Object.const_defined?(:Redcarpet) + if Object.const_defined?(:Redcarpet) + format.register :markdown + format.register :markdown_html, label: 'Markdown (with HTML)' + end end ActionView::Template.register_template_handler :rsb, Redmine::Views::ApiTemplateHandler diff --git a/lib/redmine/wiki_formatting/markdown_html/formatter.rb b/lib/redmine/wiki_formatting/markdown_html/formatter.rb new file mode 100644 index 000000000..4973622f5 --- /dev/null +++ b/lib/redmine/wiki_formatting/markdown_html/formatter.rb @@ -0,0 +1,87 @@ +# frozen_string_literal: true + +# Redmine - project management software +# Copyright (C) 2006-2019 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require 'cgi' + +module Redmine + module WikiFormatting + module MarkdownHtml + + class HtmlScrubber < Rails::Html::PermitScrubber + def initialize + super + # default set of tags, plus tables and u + self.tags = Set.new(%w(table tr td thead tfoot tbody u strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins)) + # default set of attributes, plus id (which will still be scrubbed + # in most cases, see scrub_attribute below) + self.attributes = Set.new(%w(id href src width height alt cite datetime title class name xml:lang abbr)) + end + + private + + # overridden to only allow some id attribute values on sup and li + # elements for footnotes + def scrub_attribute(node, attr) + if attr.name == 'id' and not footnote_id?(node, attr) + attr.remove + end + super + end + + def footnote_id?(node, attr) + ( + node.name == 'sup' && + attr.value.to_s =~ /\Afnref\d+\z/ + ) or ( + node.name == 'li' && + attr.value.to_s =~ /\Afn\d+\z/ + ) + end + end + + class Formatter < Redmine::WikiFormatting::Markdown::Formatter + include ActionView::Helpers::SanitizeHelper + + def to_html(*_) + sanitize(super, scrubber: HtmlScrubber.new).to_str + end + + private + + def formatter + @@html_formatter ||= Redcarpet::Markdown.new( + Redmine::WikiFormatting::Markdown::HTML.new( + :hard_wrap => true + ), + :autolink => true, + :fenced_code_blocks => true, + :space_after_headers => true, + :tables => true, + :strikethrough => true, + :superscript => true, + :no_intra_emphasis => true, + :footnotes => true, + :lax_spacing => true, + :underline => true + ) + end + end + end + end +end diff --git a/lib/redmine/wiki_formatting/markdown_html/helper.rb b/lib/redmine/wiki_formatting/markdown_html/helper.rb new file mode 100644 index 000000000..a868fa64a --- /dev/null +++ b/lib/redmine/wiki_formatting/markdown_html/helper.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +# Redmine - project management software +# Copyright (C) 2006-2019 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +module Redmine + module WikiFormatting + module MarkdownHtml + Helper = Redmine::WikiFormatting::Markdown::Helper + end + end +end diff --git a/lib/redmine/wiki_formatting/markdown_html/html_parser.rb b/lib/redmine/wiki_formatting/markdown_html/html_parser.rb new file mode 100644 index 000000000..5ab450b11 --- /dev/null +++ b/lib/redmine/wiki_formatting/markdown_html/html_parser.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +# Redmine - project management software +# Copyright (C) 2006-2019 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +module Redmine + module WikiFormatting + module MarkdownHtml + HtmlParser = Redmine::WikiFormatting::Markdown::HtmlParser + end + end +end diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb index a6733f7b0..5fa48f388 100644 --- a/test/helpers/application_helper_test.rb +++ b/test/helpers/application_helper_test.rb @@ -182,6 +182,21 @@ class ApplicationHelperTest < Redmine::HelperTest end end + def test_attached_images_with_markdown_html_and_non_ascii_filename + skip unless Object.const_defined?(:Redcarpet) + + to_test = { + 'CAFÉ.JPG' => 'CAF%C3%89.JPG', + 'crème.jpg' => 'cr%C3%A8me.jpg', + } + with_settings :text_formatting => 'markdown_html' do + to_test.each do |filename, result| + attachment = Attachment.generate!(:filename => filename) + assert_include %(), textilizable("![](#{filename})", :attachments => [attachment]) + end + end + end + def test_attached_images_with_hires_naming attachment = Attachment.generate!(:filename => 'image@2x.png') assert_equal %(

), diff --git a/test/unit/lib/redmine/wiki_formatting/markdown_html_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/markdown_html_formatter_test.rb new file mode 100644 index 000000000..570bb33e2 --- /dev/null +++ b/test/unit/lib/redmine/wiki_formatting/markdown_html_formatter_test.rb @@ -0,0 +1,200 @@ +# frozen_string_literal: true + +# Redmine - project management software +# Copyright (C) 2006-2019 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../../../../test_helper', __FILE__) + +class Redmine::WikiFormatting::MarkdownHtmlFormatterTest < ActionView::TestCase + if Object.const_defined?(:Redcarpet) + + def setup + @formatter = Redmine::WikiFormatting::MarkdownHtml::Formatter + end + + def test_syntax_error_in_image_reference_should_not_raise_exception + assert @formatter.new("!>[](foo.png)").to_html + end + + def test_empty_image_should_not_raise_exception + assert @formatter.new("![]()").to_html + end + + # re-using the formatter after getting above error crashes the + # ruby interpreter. This seems to be related to + # https://github.com/vmg/redcarpet/issues/318 + def test_should_not_crash_redcarpet_after_syntax_error + @formatter.new("!>[](foo.png)").to_html rescue nil + assert @formatter.new("![](foo.png)").to_html.present? + end + + def test_inline_style + assert_equal "

foo

", @formatter.new("**foo**").to_html.strip + end + + def test_not_set_intra_emphasis + assert_equal "

foo_bar_baz

", @formatter.new("foo_bar_baz").to_html.strip + end + + def test_wiki_links_should_be_preserved + text = 'This is a wiki link: [[Foo]]' + assert_include '[[Foo]]', @formatter.new(text).to_html + end + + def test_redmine_links_with_double_quotes_should_be_preserved + text = 'This is a redmine link: version:"1.0"' + assert_include 'version:"1.0"', @formatter.new(text).to_html + end + + def test_should_support_syntax_highlight + text = <<-STR +~~~ruby +def foo +end +~~~ +STR + assert_select_in @formatter.new(text).to_html, 'pre code.ruby.syntaxhl' do + assert_select 'span.k', :text => 'def' + end + end + + def test_should_not_allow_invalid_language_for_code_blocks + text = <<-STR +~~~foo +test +~~~ +STR + assert_equal "
test\n
", @formatter.new(text).to_html + end + + def test_external_links_should_have_external_css_class + text = 'This is a [link](http://example.net/)' + assert_equal '

This is a link

', @formatter.new(text).to_html.strip + end + + def test_locals_links_should_not_have_external_css_class + text = 'This is a [link](/issues)' + assert_equal '

This is a link

', @formatter.new(text).to_html.strip + end + + def test_markdown_should_not_require_surrounded_empty_line + text = <<-STR +This is a list: +* One +* Two +STR + assert_equal "

This is a list:

\n\n", @formatter.new(text).to_html.strip + end + + def test_footnotes + text = <<-STR +This is some text[^1]. + +[^1]: This is the foot note +STR + + # rails html sanitizer replaces entities with their utf8 counterparts + expected = <<-EXPECTED +

This is some text1.

+
+
+
    + +
  1. +

    This is the foot note 

    +
    2. + +
+
+EXPECTED + + assert_equal expected.gsub(%r{[\r\n\t]}, ''), @formatter.new(text).to_html.gsub(%r{[\r\n\t]}, '') + end + + STR_WITH_PRE = [ + # 0 + <<~STR.chomp, + # Title + + Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas sed libero. + STR + # 1 + <<~STR.chomp, + ## Heading 2 + + ~~~ruby + def foo + end + ~~~ + + Morbi facilisis accumsan orci non pharetra. + + ``` + Pre Content: + + ## Inside pre + + inside pre block + + Morbi facilisis accumsan orci non pharetra. + ``` + STR + # 2 + <<~STR.chomp, + ### Heading 3 + + Nulla nunc nisi, egestas in ornare vel, posuere ac libero. + STR + ] + + def test_get_section_should_ignore_pre_content + text = STR_WITH_PRE.join("\n\n") + + assert_section_with_hash STR_WITH_PRE[1..2].join("\n\n"), text, 2 + assert_section_with_hash STR_WITH_PRE[2], text, 3 + end + + def test_update_section_should_not_escape_pre_content_outside_section + text = STR_WITH_PRE.join("\n\n") + replacement = "New text" + + assert_equal [STR_WITH_PRE[0..1], "New text"].flatten.join("\n\n"), + @formatter.new(text).update_section(3, replacement) + end + + def test_should_support_underlined_text + text = 'This _text_ should be underlined' + assert_equal '

This text should be underlined

', @formatter.new(text).to_html.strip + end + + def test_should_support_html_tables + text = '
Cell
' + assert_equal '
Cell
', @formatter.new(text).to_html.strip + end + + private + + def assert_section_with_hash(expected, text, index) + result = @formatter.new(text).get_section(index) + + assert_kind_of Array, result + assert_equal 2, result.size + assert_equal expected, result.first, "section content did not match" + assert_equal Digest::MD5.hexdigest(expected), result.last, "section hash did not match" + end + end +end -- 2.11.0