Bump sanitize gem dependency to 4.6

This fixes CVE-2018-2740 (See: rgrove/sanitize#176) We also have to fix some tests around table tags, because as of sanitize 3.x it uses a parser more like a browser which means it will strip invalid HTML and correct it when it's less-broken. Tables are one of the things it does this for.
alphagov · Mar 21, 2018 · cbe5677 · cbe5677
1 parent f4a2e81
commit cbe5677
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/govspeak.gemspec b/govspeak.gemspec
@@ -29,7 +29,7 @@ library for use in the UK Government Single Domain project}
 
   s.add_dependency 'kramdown', '~> 1.15.0'
   s.add_dependency 'htmlentities', '~> 4'
-  s.add_dependency "sanitize", "~> 2.1.0"
+  s.add_dependency "sanitize", "~> 4.6"
   s.add_dependency 'nokogiri', '~> 1.5'
   s.add_dependency 'addressable', '>= 2.3.8', '< 3'
   s.add_dependency 'actionview', '>= 4.1', '< 6'

diff --git a/test/html_sanitizer_test.rb b/test/html_sanitizer_test.rb
@@ -53,13 +53,24 @@ class HtmlSanitizerTest < Minitest::Test
   end
 
   test "allows table cells and table headings without a style attribute" do
-    html = "<th>thing</th><td>thing</td>"
+    html = "<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>"
     assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
   end
 
+  test "strips table cells and headings that appear outside a table" do
+    html = "<th>thing</th></tr><tr><td>thing</td>"
+    assert_equal 'thingthing', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+  test "normalizes table tags to inject missing rows and bodies like a browser does" do
+    html = "<table><th>thing</th><td>thing</td></table>"
+    assert_equal '<table><tbody><tr><th>thing</th><td>thing</td></tr></tbody></table>', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+
   test "allows valid text-align properties on the style attribute for table cells and table headings" do
     ["left", "right", "center"].each do |alignment|
-      html = "<th style=\"text-align: #{alignment}\">thing</th><td style=\"text-align: #{alignment}\">thing</td>"
+      html = "<table><thead><tr><th style=\"text-align: #{alignment}\">thing</th></tr></thead><tbody><tr><td style=\"text-align: #{alignment}\">thing</td></tr></tbody></table>"
       assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
     end
 
@@ -70,8 +81,8 @@ class HtmlSanitizerTest < Minitest::Test
       "background-image: url(javascript:alert('XSS'))",
       "expression(alert('XSS'));"
     ].each do |style|
-      html = "<th style=\"#{style}\">thing</th><td style=\"#{style}\">thing</td>"
-      assert_equal '<th>thing</th><td>thing</td>', Govspeak::HtmlSanitizer.new(html).sanitize
+      html = "<table><thead><tr><th style=\"#{style}\">thing</th></tr></thead><tbody><tr><td style=\"#{style}\">thing</td></tr></tbody></table>"
+      assert_equal '<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>', Govspeak::HtmlSanitizer.new(html).sanitize
     end
   end
 end