From e262f06a93a65d182344eb6924390229214e4aad Mon Sep 17 00:00:00 2001 From: Earlopain Date: Sat, 17 Dec 2022 17:00:27 +0100 Subject: [PATCH] [Cleanup] Remove NoteSanizier Notes are formatted using dtext only. Even though the existance of this class suggests that some html elements are allowed, it doesn't actually do anything. Link relativization also didn't work, same with dtext colors. --- Gemfile | 1 - Gemfile.lock | 4 -- app/controllers/note_previews_controller.rb | 2 +- app/logical/note_sanitizer.rb | 58 --------------------- app/views/notes/_note.html.erb | 2 +- config/danbooru_default_config.rb | 6 --- test/unit/note_sanitizer_test.rb | 37 ------------- 7 files changed, 2 insertions(+), 108 deletions(-) delete mode 100644 app/logical/note_sanitizer.rb delete mode 100644 test/unit/note_sanitizer_test.rb diff --git a/Gemfile b/Gemfile index 0eeeb20c7..8b26a7715 100644 --- a/Gemfile +++ b/Gemfile @@ -7,7 +7,6 @@ gem "pg" gem "dalli", :platforms => :ruby gem "simple_form" gem 'active_model_serializers', '~> 0.10.0' -gem "sanitize" gem 'ruby-vips' gem 'diff-lcs', :require => "diff/lcs/array" gem 'bcrypt', :require => "bcrypt" diff --git a/Gemfile.lock b/Gemfile.lock index bc7e1b57b..f318a9139 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -321,9 +321,6 @@ GEM ruby-vips (2.1.4) ffi (~> 1.12) ruby2_keywords (0.0.5) - sanitize (6.0.0) - crass (~> 1.0.2) - nokogiri (>= 1.12.0) semantic_range (3.0.0) shoulda-context (2.0.0) shoulda-matchers (5.2.0) @@ -427,7 +424,6 @@ DEPENDENCIES rubocop rubocop-rails ruby-vips - sanitize shoulda-context shoulda-matchers sidekiq (~> 6.0) diff --git a/app/controllers/note_previews_controller.rb b/app/controllers/note_previews_controller.rb index 3b17e9164..629cc966a 100644 --- a/app/controllers/note_previews_controller.rb +++ b/app/controllers/note_previews_controller.rb @@ -2,7 +2,7 @@ class NotePreviewsController < ApplicationController respond_to :json def show - @body = NoteSanitizer.sanitize(helpers.format_text(params[:body].to_s, allow_color: true)) + @body = helpers.format_text(params[:body].to_s) respond_with(@body) do |format| format.json do render :json => {:body => @body}.to_json diff --git a/app/logical/note_sanitizer.rb b/app/logical/note_sanitizer.rb deleted file mode 100644 index 40bb05879..000000000 --- a/app/logical/note_sanitizer.rb +++ /dev/null @@ -1,58 +0,0 @@ -module NoteSanitizer - ALLOWED_ELEMENTS = %w( - code center tn h1 h2 h3 h4 h5 h6 a span div blockquote br p ul li ol em - strong small big b i font u s pre ruby rb rt rp rtc sub sup hr wbr - ) - - ALLOWED_ATTRIBUTES = { - :all => %w(style title), - "a" => %w(href), - "span" => %w(class), - "div" => %w(class align), - "p" => %w(class align), - "font" => %w(color size), - } - - ALLOWED_PROPERTIES = %w( - font font-family font-size font-size-adjust font-style font-variant font-weight - ) - - def self.sanitize(text) - text.gsub!(/<( |-|3|:|>|\Z)/, "<\\1") - - Sanitize.clean( - text, - :elements => ALLOWED_ELEMENTS, - :attributes => ALLOWED_ATTRIBUTES, - :add_attributes => { - "a" => { "rel" => "nofollow" }, - }, - :protocols => { - "a" => { - "href" => ["http", "https", :relative] - } - }, - :css => { - allow_comments: false, - allow_hacks: false, - at_rules: [], - protocols: [], - properties: ALLOWED_PROPERTIES, - }, - :transformers => method(:relativize_links), - ) - end - - def self.relativize_links(node:, **env) - return unless node.name == "a" && node["href"].present? - - url = Addressable::URI.heuristic_parse(node["href"]).normalize - - if url.authority.in?(Danbooru.config.hostnames) - url.site = nil - node["href"] = url.to_s - end - rescue Addressable::URI::InvalidURIError - # do nothing for invalid urls - end -end diff --git a/app/views/notes/_note.html.erb b/app/views/notes/_note.html.erb index a3d845187..4a71447f8 100644 --- a/app/views/notes/_note.html.erb +++ b/app/views/notes/_note.html.erb @@ -1 +1 @@ -
<%= raw NoteSanitizer.sanitize(format_text(note.body, allow_color: true)) %>
+
<%= format_text(note.body) %>
diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb index 8f62e9d76..2e8f07e59 100644 --- a/config/danbooru_default_config.rb +++ b/config/danbooru_default_config.rb @@ -30,12 +30,6 @@ module Danbooru Socket.gethostname end - # The list of all domain names this site is accessible under. - # Example: %w[danbooru.donmai.us sonohara.donmai.us hijiribe.donmai.us safebooru.donmai.us] - def hostnames - [hostname] - end - # Contact email address of the admin. def contact_email "management@#{domain}" diff --git a/test/unit/note_sanitizer_test.rb b/test/unit/note_sanitizer_test.rb deleted file mode 100644 index 63c0cbf52..000000000 --- a/test/unit/note_sanitizer_test.rb +++ /dev/null @@ -1,37 +0,0 @@ -require 'test_helper' - -class NoteSanitizerTest < ActiveSupport::TestCase - context "Sanitizing a note" do - should "strip unsafe tags" do - body = '

test

' - assert_equal('

test

', NoteSanitizer.sanitize(body)) - end - - should "strip unsafe css" do - body = '

test

' - assert_equal("

test

", NoteSanitizer.sanitize(body)) - end - - should "allow style attributes on every tag" do - body = '

test

' - assert_equal('

test

', NoteSanitizer.sanitize(body)) - end - - should "mark links as nofollow" do - body = 'google' - assert_equal('google', NoteSanitizer.sanitize(body)) - end - - should "rewrite absolute links to relative links" do - Danbooru.config.stubs(:hostnames).returns(%w[danbooru.donmai.us sonohara.donmai.us hijiribe.donmai.us]) - - body = 'touhou' - assert_equal('touhou', NoteSanitizer.sanitize(body)) - end - - should "not fail when rewriting bad links" do - body = %{google} - assert_equal(%{google}, NoteSanitizer.sanitize(body)) - end - end -end