From: Tom Hughes <tom@compton.nu>
Date: Wed, 16 Jan 2019 10:20:29 +0000 (+0000)
Subject: Merge remote-tracking branch 'upstream/pull/2115'
X-Git-Tag: live~3812
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/d2e11a327eb686bd2d1293ac146a2bb9730ba19b?hp=e7f943c715d7104fd4f22fe59a79a5d52e71a7c4

Merge remote-tracking branch 'upstream/pull/2115'
---

diff --git a/Gemfile b/Gemfile
index f75921f12..3cf075045 100644
--- a/Gemfile
+++ b/Gemfile
@@ -77,7 +77,7 @@ gem "omniauth-openid"
 gem "omniauth-windowslive"
 
 # Markdown formatting support
-gem "redcarpet"
+gem "kramdown"
 
 # For status transitions of Issues
 gem "aasm"
diff --git a/Gemfile.lock b/Gemfile.lock
index 2aba9c21b..3b70d157a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -161,6 +161,7 @@ GEM
       jsonify (< 0.4.0)
     jwt (2.1.0)
     kgio (2.11.2)
+    kramdown (1.17.0)
     libv8 (3.16.14.19)
     libxml-ruby (3.1.0)
     listen (3.1.5)
@@ -303,7 +304,6 @@ GEM
       ffi (~> 1.0)
     record_tag_helper (1.0.0)
       actionview (~> 5.x)
-    redcarpet (3.4.0)
     ref (2.0.0)
     request_store (1.4.1)
       rack (>= 1.4)
@@ -412,6 +412,7 @@ DEPENDENCIES
   json
   jsonify-rails
   kgio
+  kramdown
   libxml-ruby (>= 2.0.5)
   listen
   logstasher
@@ -438,7 +439,6 @@ DEPENDENCIES
   rails-controller-testing
   rails-i18n (~> 4.0.0)
   record_tag_helper
-  redcarpet
   rinku (>= 1.2.2)
   rotp
   rubocop
diff --git a/app/assets/stylesheets/common.scss b/app/assets/stylesheets/common.scss
index d36e77285..d725cc287 100644
--- a/app/assets/stylesheets/common.scss
+++ b/app/assets/stylesheets/common.scss
@@ -2342,11 +2342,11 @@ a.button {
     margin-left: $lineheight;
   }
 
-  ul li {
+  ul > li {
     list-style: disc;
   }
 
-  ol li {
+  ol > li {
     list-style: decimal;
   }
 }
diff --git a/config/initializers/sanitize.rb b/config/initializers/sanitize.rb
index 240f1e315..c7b7b3326 100644
--- a/config/initializers/sanitize.rb
+++ b/config/initializers/sanitize.rb
@@ -1,5 +1,5 @@
 Sanitize::Config::OSM = Sanitize::Config::RELAXED.dup
 
 Sanitize::Config::OSM[:elements] -= %w[div style]
-Sanitize::Config::OSM[:add_attributes] = { "a" => { "rel" => "nofollow" } }
+Sanitize::Config::OSM[:add_attributes] = { "a" => { "rel" => "nofollow noopener noreferer" } }
 Sanitize::Config::OSM[:remove_contents] = %w[script style]
diff --git a/config/locales/en.yml b/config/locales/en.yml
index e87e8f8ee..bbcba0f2c 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1626,7 +1626,7 @@ en:
       edit: Edit
       preview: Preview
     markdown_help:
-      title_html: Parsed with <a href="https://daringfireball.net/projects/markdown/">Markdown</a>
+      title_html: Parsed with <a href="https://kramdown.gettalong.org/quickref.html">kramdown</a>
       headings: Headings
       heading: Heading
       subheading: Subheading
diff --git a/lib/rich_text.rb b/lib/rich_text.rb
index d0539b2b0..2b3e07d6a 100644
--- a/lib/rich_text.rb
+++ b/lib/rich_text.rb
@@ -55,11 +55,15 @@ module RichText
       SimpleFormat.new.simple_format(text)
     end
 
-    def linkify(text)
+    def sanitize(text)
+      Sanitize.clean(text, Sanitize::Config::OSM).html_safe
+    end
+
+    def linkify(text, mode = :urls)
       if text.html_safe?
-        Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
+        Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow noopener noreferer")).html_safe
       else
-        Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow"))
+        Rinku.auto_link(text, mode, tag_builder.tag_options(:rel => "nofollow noopener noreferer"))
       end
     end
   end
@@ -72,30 +76,16 @@ module RichText
     def to_text
       to_s
     end
-
-    private
-
-    def sanitize(text)
-      Sanitize.clean(text, Sanitize::Config::OSM).html_safe
-    end
   end
 
   class Markdown < Base
     def to_html
-      Markdown.html_parser.render(self).html_safe
+      linkify(sanitize(Kramdown::Document.new(self).to_html), :all)
     end
 
     def to_text
       to_s
     end
-
-    def self.html_renderer
-      @html_renderer ||= Redcarpet::Render::XHTML.new(:filter_html => true, :safe_links_only => true, :link_attributes => { :rel => "nofollow" })
-    end
-
-    def self.html_parser
-      @html_parser ||= Redcarpet::Markdown.new(html_renderer, :no_intra_emphasis => true, :autolink => true, :space_after_headers => true)
-    end
   end
 
   class Text < Base
diff --git a/test/lib/rich_text_test.rb b/test/lib/rich_text_test.rb
index 74d396b68..e1603fb09 100644
--- a/test/lib/rich_text_test.rb
+++ b/test/lib/rich_text_test.rb
@@ -8,14 +8,14 @@ class RichTextTest < ActiveSupport::TestCase
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='http://example.com/']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("html", "foo <a href='http://example.com/'>bar</a> baz")
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='http://example.com/']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("html", "foo example@example.com bar")
@@ -27,7 +27,7 @@ class RichTextTest < ActiveSupport::TestCase
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='mailto:example@example.com']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("html", "foo <div>bar</div> baz")
@@ -64,28 +64,28 @@ class RichTextTest < ActiveSupport::TestCase
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='http://example.com/']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("markdown", "foo [bar](http://example.com/) baz")
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='http://example.com/']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("markdown", "foo example@example.com bar")
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='mailto:example@example.com']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("markdown", "foo [bar](mailto:example@example.com) bar")
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='mailto:example@example.com']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("markdown", "foo ![bar](http://example.com/example.png) bar")
@@ -162,7 +162,7 @@ class RichTextTest < ActiveSupport::TestCase
     assert_html r do
       assert_select "a", 1
       assert_select "a[href='http://example.com/']", 1
-      assert_select "a[rel='nofollow']", 1
+      assert_select "a[rel='nofollow noopener noreferer']", 1
     end
 
     r = RichText.new("text", "foo example@example.com bar")