[Cleanup] Remove NoteSanizier

Notes are formatted using dtext only. Even though the existance of this class suggests that some html elements are allowed, it doesn't actually do anything. Link relativization also didn't work, same with dtext colors.
2022-12-17 17:00:27 +01:00 · 2022-12-17 17:00:27 +01:00 · e262f06a93
commit e262f06a93
parent da4283cce4
7 changed files with 2 additions and 108 deletions
--- a/1
+++ b/1
@ -7,7 +7,6 @@ gem "pg"
 gem "dalli", :platforms => :ruby
 gem "simple_form"
 gem 'active_model_serializers', '~> 0.10.0'
-gem "sanitize"
 gem 'ruby-vips'
 gem 'diff-lcs', :require => "diff/lcs/array"
 gem 'bcrypt', :require => "bcrypt"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -321,9 +321,6 @@ GEM
    ruby-vips (2.1.4)
      ffi (~> 1.12)
    ruby2_keywords (0.0.5)
-    sanitize (6.0.0)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
    semantic_range (3.0.0)
    shoulda-context (2.0.0)
    shoulda-matchers (5.2.0)
@ -427,7 +424,6 @@ DEPENDENCIES
  rubocop
  rubocop-rails
  ruby-vips
-  sanitize
  shoulda-context
  shoulda-matchers
  sidekiq (~> 6.0)
--- a/app/controllers/note_previews_controller.rb
+++ b/app/controllers/note_previews_controller.rb
@ -2,7 +2,7 @@ class NotePreviewsController < ApplicationController
  respond_to :json

  def show
-    @body = NoteSanitizer.sanitize(helpers.format_text(params[:body].to_s, allow_color: true))
+    @body = helpers.format_text(params[:body].to_s)
    respond_with(@body) do |format|
      format.json do
        render :json => {:body => @body}.to_json
--- a/app/logical/note_sanitizer.rb
+++ b/app/logical/note_sanitizer.rb
@ -1,58 +0,0 @@
-module NoteSanitizer
-  ALLOWED_ELEMENTS = %w(
-    code center tn h1 h2 h3 h4 h5 h6 a span div blockquote br p ul li ol em
-    strong small big b i font u s pre ruby rb rt rp rtc sub sup hr wbr
-  )
-
-  ALLOWED_ATTRIBUTES = {
-    :all => %w(style title),
-    "a" => %w(href),
-    "span" => %w(class),
-    "div" => %w(class align),
-    "p" => %w(class align),
-    "font" => %w(color size),
-  }
-
-  ALLOWED_PROPERTIES = %w(
-    font font-family font-size font-size-adjust font-style font-variant font-weight
-  )
-
-  def self.sanitize(text)
-    text.gsub!(/<( |-|3|:|>|\Z)/, "&lt;\\1")
-
-    Sanitize.clean(
-      text,
-      :elements => ALLOWED_ELEMENTS,
-      :attributes => ALLOWED_ATTRIBUTES,
-      :add_attributes => {
-        "a" => { "rel" => "nofollow" },
-      },
-      :protocols => {
-        "a" => {
-          "href" => ["http", "https", :relative]
-        }
-      },
-      :css => {
-        allow_comments: false,
-        allow_hacks: false,
-        at_rules: [],
-        protocols: [],
-        properties: ALLOWED_PROPERTIES,
-      },
-      :transformers => method(:relativize_links),
-    )
-  end
-
-  def self.relativize_links(node:, **env)
-    return unless node.name == "a" && node["href"].present?
-
-    url = Addressable::URI.heuristic_parse(node["href"]).normalize
-
-    if url.authority.in?(Danbooru.config.hostnames)
-      url.site = nil
-      node["href"] = url.to_s
-    end
-  rescue Addressable::URI::InvalidURIError
-    # do nothing for invalid urls
-  end
-end
--- a/app/views/notes/_note.html.erb
+++ b/app/views/notes/_note.html.erb
@ -1 +1 @@
-<article data-width="<%= note.width %>" data-height="<%= note.height %>" data-x="<%= note.x %>" data-y="<%= note.y %>" data-id="<%= note.id %>" data-body="<%= note.body %>"><%= raw NoteSanitizer.sanitize(format_text(note.body, allow_color: true)) %></article>
+<article data-width="<%= note.width %>" data-height="<%= note.height %>" data-x="<%= note.x %>" data-y="<%= note.y %>" data-id="<%= note.id %>" data-body="<%= note.body %>"><%= format_text(note.body) %></article>
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@ -30,12 +30,6 @@ module Danbooru
      Socket.gethostname
    end

-    # The list of all domain names this site is accessible under.
-    # Example: %w[danbooru.donmai.us sonohara.donmai.us hijiribe.donmai.us safebooru.donmai.us]
-    def hostnames
-      [hostname]
-    end
-
    # Contact email address of the admin.
    def contact_email
      "management@#{domain}"
--- a/test/unit/note_sanitizer_test.rb
+++ b/test/unit/note_sanitizer_test.rb
@ -1,37 +0,0 @@
-require 'test_helper'
-
-class NoteSanitizerTest < ActiveSupport::TestCase
-  context "Sanitizing a note" do
-    should "strip unsafe tags" do
-      body = '<p>test</p> <script>alert("owned")</script>'
-      assert_equal('<p>test</p> ', NoteSanitizer.sanitize(body))
-    end
-
-    should "strip unsafe css" do
-      body = '<p style="background-image: url(http://www.google.com);">test</p>'
-      assert_equal("<p>test</p>", NoteSanitizer.sanitize(body))
-    end
-
-    should "allow style attributes on every tag" do
-      body = '<p style="font-size: 1em;">test</p>'
-      assert_equal('<p style="font-size: 1em;">test</p>', NoteSanitizer.sanitize(body))
-    end
-
-    should "mark links as nofollow" do
-      body = '<a href="http://www.google.com">google</a>'
-      assert_equal('<a href="http://www.google.com" rel="nofollow">google</a>', NoteSanitizer.sanitize(body))
-    end
-
-    should "rewrite absolute links to relative links" do
-      Danbooru.config.stubs(:hostnames).returns(%w[danbooru.donmai.us sonohara.donmai.us hijiribe.donmai.us])
-
-      body = '<a href="http://sonohara.donmai.us/posts?tags=touhou#dtext-intro">touhou</a>'
-      assert_equal('<a href="/posts?tags=touhou#dtext-intro" rel="nofollow">touhou</a>', NoteSanitizer.sanitize(body))
-    end
-
-    should "not fail when rewriting bad links" do
-      body = %{<a href ="\nhttp!://www.google.com:12x3">google</a>}
-      assert_equal(%{<a rel="nofollow">google</a>}, NoteSanitizer.sanitize(body))
-    end
-  end
-end