diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 11:35:58 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 11:36:09 +0000 |
| commit | eb25ac12499d70f7ebd59b64857e6901a5c32972 (patch) | |
| tree | e6755949ec3f059fcbe5110213cea3d2ef07a506 | |
| parent | 33bbb6aa7b6369fea0037f3d8a9243824e48f64f (diff) | |
| download | gitlab-ce-eb25ac12499d70f7ebd59b64857e6901a5c32972.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee
| -rw-r--r-- | app/assets/javascripts/notebook/cells/output/html.vue | 3 | ||||
| -rw-r--r-- | spec/frontend/notebook/cells/output/html_sanitize_fixtures.js | 11 |
2 files changed, 12 insertions, 2 deletions
diff --git a/app/assets/javascripts/notebook/cells/output/html.vue b/app/assets/javascripts/notebook/cells/output/html.vue index ca02ee18dd1..2d1d8845e41 100644 --- a/app/assets/javascripts/notebook/cells/output/html.vue +++ b/app/assets/javascripts/notebook/cells/output/html.vue @@ -30,6 +30,9 @@ export default { }, safeHtmlConfig: { ADD_TAGS: ['use'], // to support icon SVGs + FORBID_TAGS: ['style'], + FORBID_ATTR: ['style'], + ALLOW_DATA_ATTR: false, }, }; </script> diff --git a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js index 803ac4a219d..70c7f56b62f 100644 --- a/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js +++ b/spec/frontend/notebook/cells/output/html_sanitize_fixtures.js @@ -16,13 +16,20 @@ export default [ 'text/html table', { input: [ - '<table>\n', + '<style type="text/css">\n', + '\n', + 'body {\n', + ' background: red;\n', + '}\n', + '\n', + '</style>\n', + '<table data-myattr="XSS">\n', '<tr>\n', '<th>Header 1</th>\n', '<th>Header 2</th>\n', '</tr>\n', '<tr>\n', - '<td>row 1, cell 1</td>\n', + '<td style="background: red;">row 1, cell 1</td>\n', '<td>row 1, cell 2</td>\n', '</tr>\n', '<tr>\n', |