Disable CommonMark preview

zanata · Jun 17, 2015 · 527634b · 527634b
1 parent c6fb14b
commit 527634b
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/zanata-war/src/main/webapp/WEB-INF/layout/project/settings-tab.xhtml b/zanata-war/src/main/webapp/WEB-INF/layout/project/settings-tab.xhtml
@@ -497,8 +497,11 @@
 </ul>
 </div>
 
+<ui:remove><!--
+  Preview disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1232541
   <h:outputScript target="body" library="webjars" name="${commonMarkRenderer.outputScriptName}"/>
   <h:outputScript target="body" library="script" name="commonmark-preview.js"/>
+--></ui:remove>
 
   <ui:include src="/WEB-INF/layout/delete_confirmation_modal.xhtml">
     <ui:param name="entityType" value="#{msgs['jsf.Project']}" />

diff --git a/zanata-war/src/main/webapp/edit_home_content.xhtml b/zanata-war/src/main/webapp/edit_home_content.xhtml
@@ -41,8 +41,11 @@
 
       </div>
 
+      <ui:remove><!--
+        Preview disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1232541
         <h:outputScript target="body" library="webjars" name="${commonMarkRenderer.outputScriptName}"/>
         <h:outputScript target="body" library="script" name="commonmark-preview.js"/>
+      --></ui:remove>
 
     </h:form>
   </ui:define>

diff --git a/zanata-war/src/main/webapp/resources/script/commonmark-preview.js b/zanata-war/src/main/webapp/resources/script/commonmark-preview.js
@@ -4,7 +4,12 @@ $(function() {
   var writer = new commonmark.HtmlRenderer();
 
   function mdRender(src) {
-    return writer.render(reader.parse(src));
+    // NB Preview disabled due to https://bugzilla.redhat.com/show_bug.cgi?id=1232541
+    // TODO Run the HTML through a sanitiser like Google Caja JsHtmlSanitizer?
+    //var unsafeHtml = writer.render(reader.parse(src));
+    //var safeHtml = sanitizer.sanitize(unsafeHtml);
+    //return safeHtml;
+    return '';
   }
 
   var $allEditors = $('.js-commonmark__editor');

diff --git a/zanata-war/src/test/java/org/zanata/util/HtmlUtilTest.java b/zanata-war/src/test/java/org/zanata/util/HtmlUtilTest.java
@@ -31,6 +31,14 @@
  */
 public class HtmlUtilTest {
 
+    @Test
+    public void sanitiseLinkAddNoFollow() {
+        String input = "<p>Untrusted link: <a href=\"http://spam.example.com/\">Click here!</a></p>";
+        String expected = "<p>Untrusted link: <a href=\"http://spam.example.com/\" rel=\"nofollow\">Click here!</a></p>";
+        String actual = SANITIZER.sanitize(input);
+        assertThat(actual).isEqualTo(expected);
+    }
+
     @Test
     public void sanitisePlainText() {
         String input = "some text";