Allow optional relaxed elements to be excluded from sanitization

This change allows an optional array of `relaxed_sanitization_elements` to be passed to a new Document, and these will be excluded from HTML sanitization.
alphagov · Jan 13, 2021 · e71d8c7 · e71d8c7
1 parent 1e705bf
commit e71d8c7
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/lib/govspeak.rb b/lib/govspeak.rb
@@ -53,6 +53,7 @@ def initialize(source, options = {})
       @source = source ? source.dup : ""
 
       @images = options.delete(:images) || []
+      @relaxed_sanitization_elements = options.delete(:relaxed_sanitization_elements) || []
       @attachments = Array.wrap(options.delete(:attachments))
       @links = Array.wrap(options.delete(:links))
       @contacts = Array.wrap(options.delete(:contacts))
@@ -66,7 +67,7 @@ def initialize(source, options = {})
     def to_html
       @to_html ||= begin
                      html = if @options[:sanitize]
-                              HtmlSanitizer.new(kramdown_doc.to_html).sanitize
+                              HtmlSanitizer.new(kramdown_doc.to_html).sanitize(relaxed_elements: @relaxed_sanitization_elements)
                             else
                               kramdown_doc.to_html
                             end

diff --git a/lib/govspeak/html_sanitizer.rb b/lib/govspeak/html_sanitizer.rb
@@ -40,12 +40,16 @@ def initialize(dirty_html, options = {})
     @allowed_image_hosts = options[:allowed_image_hosts]
   end
 
-  def sanitize
+  def sanitize(relaxed_elements: [])
     transformers = [TableCellTextAlignWhitelister.new]
     if @allowed_image_hosts && @allowed_image_hosts.any?
       transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
     end
-    Sanitize.clean(@dirty_html, Sanitize::Config.merge(sanitize_config, transformers: transformers))
+
+    config = sanitize_config
+    relaxed_elements.each { |el| config[:elements].add(el) }
+
+    Sanitize.clean(@dirty_html, Sanitize::Config.merge(config, transformers: transformers))
   end
 
   def sanitize_config

diff --git a/test/govspeak_test.rb b/test/govspeak_test.rb
@@ -666,6 +666,11 @@ class GovspeakTest < Minitest::Test
     assert_equal "<script>doGoodThings();</script>", document.to_html.strip
   end
 
+  test "it can exclude stipulated elements from sanitization" do
+    document = Govspeak::Document.new("<uncommon-element>some content</uncommon-element>", relaxed_sanitization_elements: %w[uncommon-element])
+    assert_equal "<uncommon-element>some content</uncommon-element>", document.to_html.strip
+  end
+
   test "identifies a Govspeak document containing malicious HTML as invalid" do
     document = Govspeak::Document.new("<script>doBadThings();</script>")
     refute document.valid?

diff --git a/test/html_sanitizer_test.rb b/test/html_sanitizer_test.rb
@@ -96,4 +96,10 @@ class HtmlSanitizerTest < Minitest::Test
       assert_equal "<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>", Govspeak::HtmlSanitizer.new(html).sanitize
     end
   end
+
+  test "excludes specified elements from sanitization" do
+    html = "<custom-relaxed-element><p>text</p></custom-relaxed-element>"
+    assert_equal "<p>text</p>", Govspeak::HtmlSanitizer.new(html).sanitize
+    assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize(relaxed_elements: %w[custom-relaxed-element])
+  end
 end