alphagov · tijmenb · Jun 6, 2018 · Jun 5, 2018 · Jun 5, 2018 · Jun 5, 2018
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,30 @@
   useful summary for people upgrading their application, not a replication
   of the commit log.
 
+## Unreleased
+
+* It is no longer allowed to pass in unsafe HTML into the Govspeak component. This
+  will result in a warning for now, but in a future version this will become an error.
+
+### How to upgrade
+
+Change instances like this:
+
+```erb
+<%= render 'govuk_publishing_components/components/govspeak', content:
+"<p>Foo #{bar}</p>" %>
+```
+
+into the following safe version:
+
+```erb
+<%= render 'govuk_publishing_components/components/govspeak' do %>
+  <p>Foo <%= bar %></p>
+<% end %>
+```
+
+This will prevent XSS vulnerabilities where `bar` is user input.
+
 ## 9.1.0
 
 * Extend the document list component (PR #355)

diff --git a/app/views/govuk_publishing_components/component_guide/example.html.erb b/app/views/govuk_publishing_components/component_guide/example.html.erb
@@ -3,7 +3,7 @@
 
 <div class="component-show">
   <div class="component-doc">
-    <%= render "govuk_publishing_components/components/govspeak", content: @component_example.html_description %>
+    <%= render "govuk_publishing_components/components/govspeak", content: raw(@component_example.html_description) %>
     <h2 class="component-doc-h2">How to call this example</h2>
     <%= render partial: "govuk_publishing_components/component_guide/component_doc/call", locals: { component_doc: @component_doc, example: @component_example } %>
 

diff --git a/app/views/govuk_publishing_components/component_guide/show.html.erb b/app/views/govuk_publishing_components/component_guide/show.html.erb
@@ -13,7 +13,7 @@
       <%= render 'govuk_publishing_components/components/lead_paragraph', text: @component_doc.description %>
       <% if @component_doc.body.present? %>
         <div class="component-body">
-          <%= render 'govuk_publishing_components/components/govspeak', content: @component_doc.html_body %>
+          <%= render 'govuk_publishing_components/components/govspeak', content: raw(@component_doc.html_body) %>
         </div>
       <% end %>
     </div>
@@ -32,7 +32,7 @@
     <div class="grid-row component-accessibility-criteria">
       <div class="column-two-thirds">
         <h2 class="component-doc-h2">Accessibility acceptance criteria</h2>
-        <%= render 'govuk_publishing_components/components/govspeak', content: @component_doc.html_accessibility_criteria %>
+        <%= render 'govuk_publishing_components/components/govspeak', content: raw(@component_doc.html_accessibility_criteria) %>
       </div>
     </div>
   <% end %>
@@ -48,7 +48,7 @@
             <a href="<%= component_example_path(@component_doc.id, example.id) %>"><%= example.name %></a>
             <small>(<a href="<%= component_preview_path(@component_doc.id, example.id) %>">preview</a>)</small>
           </h3>
-          <%= render "govuk_publishing_components/components/govspeak", content: example.html_description %>
+          <%= render "govuk_publishing_components/components/govspeak", content: raw(example.html_description) %>
           <%= render "govuk_publishing_components/component_guide/component_doc/call", component_doc: @component_doc, example: example %>
           <%= render "govuk_publishing_components/component_guide/component_doc/preview", component_doc: @component_doc, example: example %>
         </div>

diff --git a/app/views/govuk_publishing_components/components/_govspeak.html.erb b/app/views/govuk_publishing_components/components/_govspeak.html.erb
@@ -10,5 +10,28 @@
 %>
 
 <div class="gem-c-govspeak govuk-govspeak <%= classes.join(" ") %>">
-  <%= raw content %>
+  <% if local_assigns.include?(:content) %>
+    <% if content.html_safe? %>
+      <%= content %>
+    <% else %>
+      <% puts "
+        You've passed in unsanitised HTML into the govspeak component as the
+        `content` param.
+
+        Passing in unsafe HTML is deprecated and will be removed in a future
+        version. You need to pass in a block instead or use the `capture` helper.
+
+        See the component guide for examples.
+
+        If you're 100% sure there's no unsanitised user input in the string you
+        could also call `.html_safe` on the string or use the `raw` helper before
+        passing it in.
+
+        Called from #{caller_locations.find { |l| l.to_s.include?('.erb') }}
+        " %>
+      <%= raw content %>
+    <% end %>
+  <% elsif block_given? %>
+    <%= yield %>
+  <% end %>
 </div>
diff --git a/app/views/govuk_publishing_components/components/_govspeak_html_publication.html.erb b/app/views/govuk_publishing_components/components/_govspeak_html_publication.html.erb
@@ -1,9 +1,12 @@
 <%
-  govspeak_locals = { content: content }
+  govspeak_locals = {}
+  govspeak_locals[:content] = local_assigns.fetch(:content) if local_assigns.include?(:content)
   govspeak_locals[:direction] = local_assigns.fetch(:direction) if local_assigns.include?(:direction)
   govspeak_locals[:rich_govspeak] = local_assigns.fetch(:rich_govspeak) if local_assigns.include?(:rich_govspeak)
   govspeak_locals[:disable_youtube_expansions] = local_assigns.fetch(:disable_youtube_expansions) if local_assigns.include?(:disable_youtube_expansions)
 %>
 <div class="gem-c-govspeak-html-publication">
-  <%= render 'govuk_publishing_components/components/govspeak', govspeak_locals %>
+  <%= render 'govuk_publishing_components/components/govspeak', govspeak_locals do %>
+    <%= yield %>
+  <% end %>
 </div>