From cbe56770ea8d5b728d77ee8d242fba69b81b1fde Mon Sep 17 00:00:00 2001
From: Murray Steele <muz@h-lame.com>
Date: Wed, 21 Mar 2018 17:04:14 +0000
Subject: [PATCH] Bump sanitize gem dependency to 4.6

This fixes CVE-2018-2740 (See: https://github.com/rgrove/sanitize/issues/176)

We also have to fix some tests around table tags, because as of sanitize
3.x it uses a parser more like a browser which means it will strip invalid
HTML and correct it when it's less-broken.  Tables are one of the things
it does this for.
---
 govspeak.gemspec            |  2 +-
 test/html_sanitizer_test.rb | 19 +++++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/govspeak.gemspec b/govspeak.gemspec
index 7498724f..66ce16cc 100644
--- a/govspeak.gemspec
+++ b/govspeak.gemspec
@@ -29,7 +29,7 @@ library for use in the UK Government Single Domain project}
 
   s.add_dependency 'kramdown', '~> 1.15.0'
   s.add_dependency 'htmlentities', '~> 4'
-  s.add_dependency "sanitize", "~> 2.1.0"
+  s.add_dependency "sanitize", "~> 4.6"
   s.add_dependency 'nokogiri', '~> 1.5'
   s.add_dependency 'addressable', '>= 2.3.8', '< 3'
   s.add_dependency 'actionview', '>= 4.1', '< 6'
diff --git a/test/html_sanitizer_test.rb b/test/html_sanitizer_test.rb
index 240520bf..b84fc970 100644
--- a/test/html_sanitizer_test.rb
+++ b/test/html_sanitizer_test.rb
@@ -53,13 +53,24 @@ class HtmlSanitizerTest < Minitest::Test
   end
 
   test "allows table cells and table headings without a style attribute" do
-    html = "<th>thing</th><td>thing</td>"
+    html = "<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>"
     assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
   end
 
+  test "strips table cells and headings that appear outside a table" do
+    html = "<th>thing</th></tr><tr><td>thing</td>"
+    assert_equal 'thingthing', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+  test "normalizes table tags to inject missing rows and bodies like a browser does" do
+    html = "<table><th>thing</th><td>thing</td></table>"
+    assert_equal '<table><tbody><tr><th>thing</th><td>thing</td></tr></tbody></table>', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+
   test "allows valid text-align properties on the style attribute for table cells and table headings" do
     ["left", "right", "center"].each do |alignment|
-      html = "<th style=\"text-align: #{alignment}\">thing</th><td style=\"text-align: #{alignment}\">thing</td>"
+      html = "<table><thead><tr><th style=\"text-align: #{alignment}\">thing</th></tr></thead><tbody><tr><td style=\"text-align: #{alignment}\">thing</td></tr></tbody></table>"
       assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
     end
 
@@ -70,8 +81,8 @@ class HtmlSanitizerTest < Minitest::Test
       "background-image: url(javascript:alert('XSS'))",
       "expression(alert('XSS'));"
     ].each do |style|
-      html = "<th style=\"#{style}\">thing</th><td style=\"#{style}\">thing</td>"
-      assert_equal '<th>thing</th><td>thing</td>', Govspeak::HtmlSanitizer.new(html).sanitize
+      html = "<table><thead><tr><th style=\"#{style}\">thing</th></tr></thead><tbody><tr><td style=\"#{style}\">thing</td></tr></tbody></table>"
+      assert_equal '<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>', Govspeak::HtmlSanitizer.new(html).sanitize
     end
   end
 end