Clean up Banzai HTML for HipChat

The `class` and `data-*` attributes are meaningless in HipChat, and it would probably be better to limit the tags, too. For example, we could avoid block-level elements in `render_line`.
author: David Eisner <david.eisner@oriel.oxon.org> 2016-10-04 16:27:40 +0100
committer: Airat Shigapov <contact@airatshigapov.com> 2016-10-20 15:44:34 +0300
commit: aa2406e0f821e217ed5e0c59a212cecd73227509 (patch)
tree: a3b09152f9d6d0006e0f0416dfeff1323c4a3211
parent: b434b75fd0a5486325dabcf0a2edf652c959675b (diff)
download: gitlab-ce-aa2406e0f821e217ed5e0c59a212cecd73227509.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/app/models/project_services/hipchat_service.rb b/app/models/project_services/hipchat_service.rb
index ce4a2a96015..8988a7b905e 100644
--- a/app/models/project_services/hipchat_service.rb
+++ b/app/models/project_services/hipchat_service.rb
@@ -1,4 +1,6 @@
 class HipchatService < Service
+  include ActionView::Helpers::SanitizeHelper
+
   MAX_COMMITS = 3
 
   prop_accessor :token, :room, :server, :notify, :color, :api_version
@@ -138,6 +140,7 @@ class HipchatService < Service
 
       html = Banzai.render(text, context)
       html = Banzai.post_process(html, context)
+      sanitize html, attributes: %w(href title alt)
     else
       ""
     end
author	David Eisner <david.eisner@oriel.oxon.org>	2016-10-04 16:27:40 +0100
committer	Airat Shigapov <contact@airatshigapov.com>	2016-10-20 15:44:34 +0300
commit	aa2406e0f821e217ed5e0c59a212cecd73227509 (patch)
tree	a3b09152f9d6d0006e0f0416dfeff1323c4a3211
parent	b434b75fd0a5486325dabcf0a2edf652c959675b (diff)
download	gitlab-ce-aa2406e0f821e217ed5e0c59a212cecd73227509.tar.gz