Merge branch 'main' into rails-7-hacking-rebased

.github/workflows/tests.yml

@@ -86,6 +86,7 @@ jobs:
             ${{ runner.os }}-
       - name: Install Python dependencies
         run: |
+          python3.9 -m pip install --upgrade pip
           python3.9 -m pip install setuptools==58
           python3.9 -m pip install -r requirements.txt
       - name: Create test database

Dockerfile

@@ -46,6 +46,7 @@ RUN touch config/using-docker #allows us to see within SEEK we are running in a
 
 # Python dependencies from requirements.txt
 ENV PATH="/var/www/.local/bin:$PATH"
+RUN python3.9 -m pip install --upgrade pip
 RUN python3.9 -m pip install setuptools==58
 RUN python3.9 -m pip install -r requirements.txt
 

app/helpers/application_helper.rb

@@ -8,6 +8,9 @@ module ApplicationHelper
   include ImagesHelper
   include SessionsHelper
 
+  ALLOWED_HTML_WITH_TABLES = Rails::HTML::Concern::Scrubber::SafeList::DEFAULT_ALLOWED_TAGS.dup +
+    Set.new(%w(table thead tbody tfoot tr th td))
+
   def no_items_to_list_text
     content_tag :div, id: 'no-index-items-text' do
       "There are no #{resource_text_from_controller.pluralize} found that are visible to you."
@@ -224,7 +227,7 @@ def text_or_not_specified(text, options = {})
     else
       text.capitalize! if options[:capitalize]
       res = text.html_safe
-      res = sanitized_text(res)
+      res = sanitized_text(res, allow_tables: options[:markdown])
       res = truncate_without_splitting_words(res, options[:length]) if options[:length]
       if options[:markdown]
         # Convert `>` etc. back to `>` so markdown blockquotes can be used.
@@ -428,8 +431,10 @@ def using_docker?
     Seek::Docker.using_docker?
   end
 
-  def sanitized_text(text)
-    Rails::Html::SafeListSanitizer.new.sanitize(text)
+  def sanitized_text(text, allow_tables: false)
+    opts = {}
+    opts[:tags] = ALLOWED_HTML_WITH_TABLES if allow_tables
+    Rails::Html::SafeListSanitizer.new.sanitize(text, opts)
   end
 
   # whether manage attributes should be shown, dont show if editing (rather than new or managing)

app/views/projects/import_from_fairdata_station.html.erb

@@ -31,7 +31,7 @@
   <%= panel('Sharing permissions') do %>
     <div class="alert alert-info">
       <p>
-        The following sharing permissions will be applied to all the items created. It is possible to change them individually after they have been created. %>.
+        The following sharing permissions will be applied to all the items created. It is possible to change them individually after they have been created.
       </p>
       <p>
         Note that <strong>Download</strong> is shown but only applicable to some types. Where not applicable, then <strong>View</strong> will be applied.

app/views/workflows/show.html.erb

@@ -29,11 +29,12 @@
 
         <% begin %>
           <% if @display_workflow.diagram_exists? || @display_workflow.can_render_diagram? %>
+            <% diagram_path = diagram_workflow_path(@workflow, version: @display_workflow.version) %>
+            <% is_svg = @display_workflow&.diagram&.extension == 'svg' %>
             <div class="row">
               <div class="col-md-12">
                 <div class="workflow-diagram">
-                  <% diagram_path = diagram_workflow_path(@workflow, version: @display_workflow.version) %>
-                  <% if @display_workflow&.diagram.extension == 'svg' %>
+                  <% if is_svg %>
                     <%= content_tag(:embed, '', type: 'image/svg+xml', src: diagram_path, class: 'svg-pan-zoom', width: 1000, height: 500)  %>
                     <p class="help-block">Click and drag the diagram to pan, double click or use the controls to zoom.</p>
                   <% else %>
@@ -44,7 +45,7 @@
             </div>
           <% end %>
         <% rescue StandardError => e %>
-          <% raise e if Rails.env.development? %>
+          <% raise e unless Rails.env.production? %>
           <% Rails.logger.error(e.inspect) %>
           <% Rails.logger.error(e.backtrace.join("\n")) %>
           <div class="alert alert-warning">Could not render the workflow diagram.</div>

script/ansible/Deploy-SEEK.yml

@@ -192,6 +192,7 @@
     - name: Install SEEK's python requirements
       shell: bash -lc "{{ item }}"
       with_items:
+        - python3.9 -m pip install --upgrade pip
         - python3.9 -m pip install setuptools==58
         - python3.9 -m pip install -r requirements.txt
       args:

test/unit/helpers/application_helper_test.rb

@@ -403,4 +403,12 @@ def test_join_with_and
     assert_equal "<p>&amp;&amp; &quot;&quot; &lt; &gt;\n<code>&amp;&amp;</code></p>\n", text_or_not_specified("&& \"\" < >\n```&&```\n\n", markdown: true).to_s
     assert_equal "&amp;&amp; \"\" &lt; &gt;\n```&amp;&amp;```\n\n", text_or_not_specified("&& \"\" < >\n```&&```\n\n", markdown: false).to_s
   end
+
+  test 'markdown generation allows tables without compromising HTML sanitization' do
+    assert_equal "<table><tr><td>hey</td></tr></table>\n",
+                 text_or_not_specified("<table><tr><td>hey</td></tr></table>", markdown: true).to_s
+    assert_equal "<table><tr><td>\nalert('hi');hey</td></tr></table>\n",
+                 text_or_not_specified("<table><tr><td><script>alert('hi');</script>hey</td></tr></table>", markdown: true).to_s
+  end
+
 end