Move from github-markdown to github-markup

They are very similar gems, but the former isn't supported on newer versions of OSX. Basically you'll see an error like. ``` gh-markdown.c:56:29: error: implicitly declaring library function 'isspace' with type 'int (int)' [-Werror,-Wimplicit-function-declaration] while (i < lang->size && !isspace(lang->data[i])) ^ gh-markdown.c:56:29: note: include the header <ctype.h> or explicitly provide a declaration for 'isspace' ``` Since the github-markdown gem is deprecated, we need to change gems.
zendesk · Jan 26, 2021 · 1c676d7 · 1c676d7
1 parent 300b31c
commit 1c676d7
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/Gemfile b/Gemfile
@@ -38,7 +38,8 @@ gem 'faraday-http-cache'
 gem 'warden'
 gem 'active_hash'
 gem 'ansible'
-gem 'github-markdown'
+gem 'github-markup'
+gem 'commonmarker'
 gem 'coderay'
 gem 'net-http-persistent'
 gem 'concurrent-ruby'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -277,6 +277,8 @@ GEM
       thor (>= 0.18, < 2)
     byebug (8.2.2)
     coderay (1.1.1)
+    commonmarker (0.21.1)
+      ruby-enum (~> 0.5)
     concurrent-ruby (1.1.7)
     connection_pool (2.2.1)
     crack (0.4.3)
@@ -316,7 +318,7 @@ GEM
     forking_test_runner (1.2.0)
       parallel_tests (>= 1.3.7)
     git_diff_parser (3.1.0)
-    github-markdown (0.6.9)
+    github-markup (3.0.5)
     gitlab (4.10.0)
       httparty (~> 0.14, >= 0.14.0)
       terminal-table (~> 1.5, >= 1.5.1)
@@ -560,6 +562,8 @@ GEM
     rubocop-rails (2.3.2)
       rack (>= 1.1)
       rubocop (>= 0.72.0)
+    ruby-enum (0.8.0)
+      i18n
     ruby-progressbar (1.10.1)
     ruby_parser (3.13.1)
       sexp_processor (~> 4.9)
@@ -644,6 +648,7 @@ DEPENDENCIES
   bundler
   bundler-audit
   coderay
+  commonmarker
   concurrent-ruby
   connection_pool
   dalli
@@ -656,7 +661,7 @@ DEPENDENCIES
   flay
   forking_test_runner
   gcloud_image_tagger!
-  github-markdown
+  github-markup
   goldiloader
   large_object_store
   lograge

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 require 'ansible'
-require 'github/markdown'
+require 'github/markup'
 
 module ApplicationHelper
   BOOTSTRAP_FLASH_MAPPINGS = {
@@ -27,7 +27,7 @@ def autolink(text)
 
   # https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)
   def markdown(str)
-    sanitize GitHub::Markdown.render_gfm(str)
+    sanitize GitHub::Markup.render_s(GitHub::Markups::MARKUP_MARKDOWN, str)
   end
 
   def deploy_link(project, stage)

diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
@@ -72,8 +72,14 @@
     end
 
     it "does not allow XSS" do
-      result = markdown("<script>alert(1)</script>")
-      result.must_equal "alert(1)\n"
+      result = markdown("foo <script>alert(1)</script> ")
+      result.must_equal "<p>foo alert(1)</p>\n"
+      assert result.html_safe?
+    end
+
+    it "does not allow XSS, strips entire tag" do
+      result = markdown("<script>alert(1)</script> ")
+      result.must_equal "\n"
       assert result.html_safe?
     end
   end