Revert "Merge pull request #1740 from coderdojo-japan/fix/brakeman-xss-warnings"

This reverts commit 79d82d4, reversing
changes made to 2bc0d97.

Author: yasulab

app/helpers/application_helper.rb

@@ -48,24 +48,6 @@ def page_lang(lang)
     lang.empty? ? 'ja' : lang
   end
 
-  def sanitize_content(content)
-    sanitize(content, 
-      tags: ActionView::Base.sanitized_allowed_tags + ['center'], 
-      attributes: ActionView::Base.sanitized_allowed_attributes + ['id']
-    )
-  end
-
-  def safe_dojo_url(dojo)
-    return '#' if dojo.url.blank?
-
-    begin
-      uri = URI.parse(dojo.url)
-      uri.scheme&.match?(/\Ahttps?\z/) ? dojo.url : '#'
-    rescue URI::InvalidURIError
-      '#'
-    end
-  end
-
   # 'inline_' プレフィックスがついたflashメッセージをビュー内で表示するヘルパー
   # inline_alert → alert, inline_warning → warning のように変換してBootstrapのCSSクラスを適用
   def render_inline_flash_messages

app/models/dojo.rb

@@ -97,7 +97,7 @@ def active?
   def active_at?(date)
     created_at <= date && (inactivated_at.nil? || inactivated_at > date)
   end
-
+  
   # 再活性化メソッド
   def reactivate!
     if inactivated_at.present?

app/views/docs/show.html.erb

@@ -9,7 +9,7 @@
 
 <div class='container' style='line-height: 1.9em;'>
   <section class='doc' style='padding: 50px 0px 100px 0px;'>
-    <%= sanitize_content(@content) %>
+    <%= raw @content %>
   </section>
 
   <% if request.path.start_with? '/docs' %>
@@ -22,3 +22,5 @@
     <%= render 'shared/social_buttons' %>
   </section>
 </div>
+
+

app/views/podcasts/show.html.erb

@@ -36,7 +36,7 @@
 
       <iframe class="lazyload" src="https://anchor.fm/coderdojo-japan/embed/episodes/<%= @episode.permalink %>" width="100%" scrolling="no" frameborder="yes" style='margin-bottom: 30px;'></iframe>
 
-      <%= sanitize_content(Rinku.auto_link(@content)) %>
+      <%= raw Rinku.auto_link(@content) %>
     </div>
   </section>
 

app/views/shared/_dojo.html.erb

@@ -1,9 +1,9 @@
-<li class="dojo" id="<%= html_escape(dojo.name) %>">
+<li class="dojo" id="<%= dojo.name %>">
   <header>
-    <%= link_to lazy_image_tag(dojo.logo, alt: html_escape("CoderDojo #{dojo.name}"), class: 'dojo-picture'), safe_dojo_url(dojo),
-              target: "_blank" %>
+    <%= link_to lazy_image_tag(dojo.logo, alt: "CoderDojo #{dojo.name}", class: 'dojo-picture'), dojo.url,
+              target: "_blank", rel: "external noopener" %>
     <span class="dojo-name">
-      <%= link_to html_escape("#{dojo.name} (#{dojo.prefecture.name})"), safe_dojo_url(dojo), target: "_blank" %>
+      <%= link_to "#{dojo.name} (#{dojo.prefecture.name})", dojo.url, target: "_blank", rel: "external noopener" %>
       <% if not dojo.counter == 1 %>
         <span class="dojo-counter"
               data-original-title="道場数"
@@ -15,7 +15,7 @@
 
   <ul class="tags">
     <% dojo.tags.first(5).each do |tag| %>
-      <li><%= html_escape(tag) %></li>
+      <li><%= tag %></li>
     <% end %>
 
     <% if dojo.tags.length > 5 %>
@@ -26,12 +26,12 @@
 	   	           <div class="tooltip-arrow"></div>
 		           <div class="tooltip-inner"></div>
 		         </div>'
-          title="<%= html_escape(dojo.tags[5..].join(', ')) %>">...</li>
+          title="<%= dojo.tags[5..].join(', ') %>">...</li>
     <% end %>
   </ul>
 
   <p class="dojo-description">
-    <%= html_escape(dojo.description) %>
+    <%= dojo.description %>
     <% if dojo.is_private %>
       <%= link_to 'Private', doc_path('private-dojo'), class: 'dojo-private' %>
     <% end %>

config/brakeman.ignore

@@ -0,0 +1,181 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 4,
+      "fingerprint": "8ba988098c444755698e4e65d38a94f4095948c1a9bc6220c7e2a4636c3c04d7",
+      "check_name": "LinkToHref",
+      "message": "Potentially unsafe model attribute in `link_to` href",
+      "file": "app/views/shared/_dojo.html.erb",
+      "line": 6,
+      "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
+      "code": "link_to(\"#{Dojo.new.name} (#{Dojo.new.prefecture.name})\", Dojo.new.url, :target => \"_blank\", :rel => \"external noopener\")",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "HomeController",
+          "method": "show",
+          "line": 7,
+          "file": "app/controllers/home_controller.rb",
+          "rendered": {
+            "name": "home/show",
+            "file": "app/views/home/show.html.erb"
+          }
+        },
+        {
+          "type": "template",
+          "name": "home/show",
+          "line": 161,
+          "file": "app/views/home/show.html.erb",
+          "rendered": {
+            "name": "shared/_dojos",
+            "file": "app/views/shared/_dojos.html.erb"
+          }
+        },
+        {
+          "type": "template",
+          "name": "shared/_dojos",
+          "line": 2,
+          "file": "app/views/shared/_dojos.html.erb",
+          "rendered": {
+            "name": "shared/_dojo",
+            "file": "app/views/shared/_dojo.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "shared/_dojo"
+      },
+      "user_input": "Dojo.new.url",
+      "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "b22a549fb14a7e6b3a9c34991ffcacd354dc768d74d50a8f6901e23c3ea19538",
+      "check_name": "CrossSiteScripting",
+      "message": "Unescaped model attribute",
+      "file": "app/views/podcasts/show.html.erb",
+      "line": 39,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "Rinku.auto_link(Kramdown::Document.new(self.convert_shownote(Podcast.find_by(:id => params[:id]).content), :input => \"GFM\").to_html)",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "PodcastsController",
+          "method": "show",
+          "line": 31,
+          "file": "app/controllers/podcasts_controller.rb",
+          "rendered": {
+            "name": "podcasts/show",
+            "file": "app/views/podcasts/show.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "podcasts/show"
+      },
+      "user_input": "Podcast.find_by(:id => params[:id]).content",
+      "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 4,
+      "fingerprint": "b29f98f4da690ffb7c663390c21db3a71174dae17d06234deab9d6655af6babe",
+      "check_name": "LinkToHref",
+      "message": "Potentially unsafe model attribute in `link_to` href",
+      "file": "app/views/shared/_dojo.html.erb",
+      "line": 3,
+      "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
+      "code": "link_to(lazy_image_tag(Dojo.new.logo, :alt => (\"CoderDojo #{Dojo.new.name}\"), :class => \"dojo-picture\"), Dojo.new.url, :target => \"_blank\", :rel => \"external noopener\")",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "HomeController",
+          "method": "show",
+          "line": 7,
+          "file": "app/controllers/home_controller.rb",
+          "rendered": {
+            "name": "home/show",
+            "file": "app/views/home/show.html.erb"
+          }
+        },
+        {
+          "type": "template",
+          "name": "home/show",
+          "line": 161,
+          "file": "app/views/home/show.html.erb",
+          "rendered": {
+            "name": "shared/_dojos",
+            "file": "app/views/shared/_dojos.html.erb"
+          }
+        },
+        {
+          "type": "template",
+          "name": "shared/_dojos",
+          "line": 2,
+          "file": "app/views/shared/_dojos.html.erb",
+          "rendered": {
+            "name": "shared/_dojo",
+            "file": "app/views/shared/_dojo.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "shared/_dojo"
+      },
+      "user_input": "Dojo.new.url",
+      "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "e4187193a881ef4e98b77f205c86fcafbef3d65d9269bba30e8612f6a59273ed",
+      "check_name": "CrossSiteScripting",
+      "message": "Unescaped model attribute",
+      "file": "app/views/docs/show.html.erb",
+      "line": 12,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "Kramdown::Document.new(Document.new(params[:id]).content, :input => \"GFM\").to_html",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "DocsController",
+          "method": "show",
+          "line": 42,
+          "file": "app/controllers/docs_controller.rb",
+          "rendered": {
+            "name": "docs/show",
+            "file": "app/views/docs/show.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "docs/show"
+      },
+      "user_input": "Document.new(params[:id]).content",
+      "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
+      "note": ""
+    }
+  ],
+  "brakeman_version": "7.1.0"
+}

spec/requests/docs_spec.rb

@@ -14,7 +14,6 @@
       get doc_path(param)
       doc      = Document.new(param)
       expected = Kramdown::Document.new(doc.content, input: 'GFM').to_html
-      expected = ApplicationController.helpers.sanitize_content(expected)
       expect(response.body).to include(expected.strip)
     end