Merge pull request #531 from jloehel/markdown

Added the usage of markdown for team description
SUSE · Nov 5, 2015 · fb19d6c · fb19d6c
2 parents ae3f86b + a7e0983
commit fb19d6c
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -18,6 +18,7 @@ gem "search_cop"
 gem "kaminari"
 gem "crono"
 gem "net-ldap"
+gem "redcarpet"
 
 # This is already a Rails dependency, but we use it to run portusctl
 gem "thor"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -208,6 +208,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rainbow (2.0.0)
     rake (10.4.2)
+    redcarpet (3.3.3)
     responders (2.1.0)
       railties (>= 4.2.0, < 5)
     rspec-core (3.3.0)
@@ -344,6 +345,7 @@ DEPENDENCIES
   quiet_assets
   rack-mini-profiler
   rails (~> 4.2.2)
+  redcarpet
   rspec-rails
   rubocop
   sass-rails (>= 3.2)

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -12,4 +12,24 @@ def user_image_tag(email)
   def activity_time_tag(ct)
     time_tag ct, time_ago_in_words(ct), title: ct
   end
+
+  # Render markdown to safe HTML.
+  # Images, unsafe link protocols and styles are not allowed to render.
+  # HTML-Tags will be filtered.
+  def markdown(text)
+    extensions = {
+      superscript:                  true,
+      disable_indented_code_blocks: true
+    }
+    render_options = {
+      filter_html:         true,
+      no_images:           true,
+      no_styles:           true,
+      safe_links_only:     true,
+      space_after_headers: true
+    }
+    renderer = Redcarpet::Render::HTML.new(render_options)
+    m = Redcarpet::Markdown.new(renderer, extensions)
+    m.render(text).html_safe
+  end
 end
diff --git a/app/views/teams/show.html.slim b/app/views/teams/show.html.slim
@@ -26,10 +26,10 @@
         p
           'No description has been posted yet.
       - else
-        '#{@team.description}
+        = markdown(@team.description)
     .collapse id="change_description_team_#{@team.id}"
       = form_for @team, remote: true, html: {role: 'form'} do |f|
-        = f.text_area(:description, class: 'form-control', placeholder: "#{@team.description}")
+        = f.text_area(:description, class: 'form-control', placeholder: html_escape(@team.description))
         br
           = button_tag(type: 'submit', class: 'btn btn-primary pull-right') do
             i.fa.fa-check

diff --git a/app/views/teams/update.js.erb b/app/views/teams/update.js.erb
@@ -8,7 +8,7 @@
   <% if @team.description.blank? %>
    $('.description').html("No description has been posted yet");
   <% else %>
-    $('.description').html("<%= escape_javascript(@team.description) %>");
+    $('.description').html("<%= escape_javascript(markdown(@team.description)) %>");
   <% end %>
 <% else %>
   $('#alert p').html("<%= escape_javascript(@team.errors.full_messages.join('<br/>')) %>");

diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
@@ -37,4 +37,31 @@ def time_tag(first, second, _args)
       expect(activity_time_tag(t)).to eq "#{t}-less than a minute"
     end
   end
+
+  describe "#team_description_markdown" do
+    it "renders markdown to html" do
+      headline1 = "# testing"
+      expect(markdown(headline1)).to eq "<h1>testing</h1>\n"
+    end
+
+    it "does not allow pictures" do
+      picture = "![Alternativer Text](/pfad/zum/bild.jpg)"
+      expect(markdown(picture)).to eq "<p>![Alternativer Text](/pfad/zum/bild.jpg)</p>\n"
+    end
+
+    it "does not allow styles" do
+      style = "Hello <style> foo { bar: baz; } </style> !"
+      expect(markdown(style)).not_to match(/<style>/i)
+    end
+
+    it "allows only safe links" do
+      link = "[IRC](irc://chat.freenode.org/#freenode)"
+      expect(markdown(link)).to eq "<p>[IRC](irc://chat.freenode.org/#freenode)</p>\n"
+    end
+
+    it "filters html" do
+      html_tag = "<script>alert('foo');</script>"
+      expect(markdown(html_tag)).to eq "<p>alert(&#39;foo&#39;);</p>\n"
+    end
+  end
 end