From 8967d50dc26edd9f9f881b363bdef23601e6e2e9 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 26 Jun 2017 15:21:27 -0400
Subject: [PATCH] Clean up sanitization code

- remove html table test, this is soon to be deprecated
- move sanitization tests into pretty text.rb
- fix up whitelister so it makes a copy of options
---
 .../engines/discourse-markdown-it.js.es6      |  7 ++--
 .../pretty-text/white-lister.js.es6           |  2 +-
 spec/components/pretty_text_spec.rb           | 33 ++++++++-----------
 test/javascripts/mdtest/mdtest.js.es6.erb     |  8 -----
 4 files changed, 18 insertions(+), 32 deletions(-)

diff --git a/app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6 b/app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6
index 9a45ef6a35d..8da31e81a16 100644
--- a/app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6
+++ b/app/assets/javascripts/pretty-text/engines/discourse-markdown-it.js.es6
@@ -151,13 +151,12 @@ export function setup(opts, siteSettings, state) {
   opts.setup = true;
 
   if (!opts.discourse.sanitizer) {
-    opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? sanitize : a=>a;
+    const whiteLister = new WhiteLister(opts.discourse);
+    opts.sanitizer = opts.discourse.sanitizer = (!!opts.discourse.sanitize) ? a=>sanitize(a, whiteLister) : a=>a;
   }
 }
 
 export function cook(raw, opts) {
-  const whiteLister = new WhiteLister(opts.discourse);
-
   // we still have to hoist html_raw nodes so they bypass the whitelister
   // this is the case for oneboxes
   let hoisted = {};
@@ -165,7 +164,7 @@ export function cook(raw, opts) {
   opts.discourse.hoisted = hoisted;
 
   const rendered = opts.engine.render(raw);
-  let cooked = opts.discourse.sanitizer(rendered, whiteLister).trim();
+  let cooked = opts.discourse.sanitizer(rendered).trim();
 
   const keys = Object.keys(hoisted);
   if (keys.length) {
diff --git a/app/assets/javascripts/pretty-text/white-lister.js.es6 b/app/assets/javascripts/pretty-text/white-lister.js.es6
index 8c37cbd4798..e1c1d56a4ab 100644
--- a/app/assets/javascripts/pretty-text/white-lister.js.es6
+++ b/app/assets/javascripts/pretty-text/white-lister.js.es6
@@ -25,7 +25,7 @@ export default class WhiteLister {
     this._featureKeys = Object.keys(options.features).filter(f => options.features[f]);
     this._key = this._featureKeys.join(':');
     this._features = options.features;
-    this._options = {};
+    this._options = options;
   }
 
   getCustom() {
diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb
index c1a2d34662f..468251d7329 100644
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@@ -440,21 +440,6 @@ HTML
     expect(PrettyText.cook(raw)).to match_html(cooked)
   end
 
-  describe 'tables' do
-    it 'allows table html' do
-      SiteSetting.allow_html_tables = true
-      table = "<table class='fa-spin'><thead><tr>\n<th class='fa-spin'>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
-      match = "<table class=\"md-table\"><thead><tr> <th>test</th> </tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
-      expect(PrettyText.cook(table)).to match_html(match)
-    end
-
-    it 'allows no tables when not enabled' do
-      SiteSetting.allow_html_tables = false
-      table = "<table><thead><tr><th>test</th></tr></thead><tbody><tr><td>a</td></tr></tbody></table>"
-      expect(PrettyText.cook(table)).to match_html("")
-    end
-  end
-
   describe "emoji" do
     it "replaces unicode emoji with our emoji sets if emoji is enabled" do
       expect(PrettyText.cook("💣")).to match(/\:bomb\:/)
@@ -518,10 +503,6 @@ HTML
       SiteSetting.enable_experimental_markdown_it = true
     end
 
-    after do
-      SiteSetting.enable_experimental_markdown_it = false
-    end
-
     # it "replaces skin toned emoji" do
     #   expect(PrettyText.cook("hello 👱🏿‍♀️")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/blonde_woman/6.png?v=5\" title=\":blonde_woman:t6:\" class=\"emoji\" alt=\":blonde_woman:t6:\"></p>")
     #   expect(PrettyText.cook("hello 👩‍🎤")).to eq("<p>hello <img src=\"/images/emoji/emoji_one/woman_singer.png?v=5\" title=\":woman_singer:\" class=\"emoji\" alt=\":woman_singer:\"></p>")
@@ -530,6 +511,20 @@ HTML
     # end
     #
 
+    it "supports href schemes" do
+      SiteSetting.allowed_href_schemes = "macappstore|steam"
+      cooked = cook("[Steam URL Scheme](steam://store/452530)")
+      expected = '<p><a href="steam://store/452530" rel="nofollow noopener">Steam URL Scheme</a></p>'
+      expect(cooked).to eq(n expected)
+    end
+
+    it "supports forbidden schemes" do
+      SiteSetting.allowed_href_schemes = "macappstore|itunes"
+      cooked = cook("[Steam URL Scheme](steam://store/452530)")
+      expected = '<p><a>Steam URL Scheme</a></p>'
+      expect(cooked).to eq(n expected)
+    end
+
     it "produces tag links" do
       Fabricate(:topic, {tags: [Fabricate(:tag, name: 'known')]})
       expect(PrettyText.cook("x #unknown::tag #known::tag")).to match_html("<p>x <span class=\"hashtag\">#unknown::tag</span> <a class=\"hashtag\" href=\"http://test.localhost/tags/known\">#<span>known</span></a></p>")
diff --git a/test/javascripts/mdtest/mdtest.js.es6.erb b/test/javascripts/mdtest/mdtest.js.es6.erb
index 870d556a415..314affd7a43 100644
--- a/test/javascripts/mdtest/mdtest.js.es6.erb
+++ b/test/javascripts/mdtest/mdtest.js.es6.erb
@@ -73,11 +73,3 @@ function md(assert, input, expected, text, settings) {
 %>
 
 <%= mdtest_suite %>
-
-test("whitelisted url scheme", function(assert) {
-  md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a href="steam://store/452530">Steam URL Scheme</a></p>', 'whitelists the steam url', {allowed_href_schemes: "macappstore|steam"});
-});
-
-test("forbidden url scheme", function(assert) {
-  md(assert, "[Steam URL Scheme](steam://store/452530)", '<p><a>Steam URL Scheme</a></p>', 'removes the href', {allowed_href_schemes: "macappstore|itunes"});
-});