diff options
| author | Vinnie Okada <vokada@mrvinn.com> | 2014-10-10 14:34:43 -0500 |
|---|---|---|
| committer | Vinnie Okada <vokada@mrvinn.com> | 2014-10-10 14:42:24 -0500 |
| commit | 6798a6a8e224471b69018ad5cc4a526654ea5772 (patch) | |
| tree | e865939c0257e25c24f27e772d5a19b9fc088f09 | |
| parent | f7342ce56764aaf6465bca74239955778c25107b (diff) | |
| download | gitlab-ce-6798a6a8e224471b69018ad5cc4a526654ea5772.tar.gz | |
Allow HTML tags in user Markdown input
Allow whitelisted tags to appear in rendered HTML output by disabling
Redcarpet's `:filter_html` option.
| -rw-r--r-- | app/helpers/gitlab_markdown_helper.rb | 3 | ||||
| -rw-r--r-- | lib/gitlab/markdown.rb | 5 | ||||
| -rw-r--r-- | spec/helpers/gitlab_markdown_helper_spec.rb | 30 |
3 files changed, 36 insertions, 2 deletions
diff --git a/app/helpers/gitlab_markdown_helper.rb b/app/helpers/gitlab_markdown_helper.rb index 0365681a128..3a0e8bcda4e 100644 --- a/app/helpers/gitlab_markdown_helper.rb +++ b/app/helpers/gitlab_markdown_helper.rb @@ -33,7 +33,6 @@ module GitlabMarkdownHelper @options = options gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self, { # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch- - filter_html: true, with_toc_data: true, safe_links_only: true }.merge(options)) @@ -48,7 +47,7 @@ module GitlabMarkdownHelper space_after_headers: true, superscript: true) end - @markdown.render(text).html_safe + @markdown.render(sanitize_html(text)).html_safe end def first_line_in_markdown(text) diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb index 17512a51658..464b88d07ea 100644 --- a/lib/gitlab/markdown.rb +++ b/lib/gitlab/markdown.rb @@ -80,6 +80,11 @@ module Gitlab markdown_context) text = result[:output].to_html(save_with: 0) + sanitize_html(text) + end + + # Remove HTML tags and attributes that are not whitelisted + def sanitize_html(text) allowed_attributes = ActionView::Base.sanitized_allowed_attributes allowed_tags = ActionView::Base.sanitized_allowed_tags diff --git a/spec/helpers/gitlab_markdown_helper_spec.rb b/spec/helpers/gitlab_markdown_helper_spec.rb index 15033f07432..c75773ad321 100644 --- a/spec/helpers/gitlab_markdown_helper_spec.rb +++ b/spec/helpers/gitlab_markdown_helper_spec.rb @@ -614,6 +614,36 @@ describe GitlabMarkdownHelper do expected = "" markdown(actual).should match(expected) end + + it 'should allow whitelisted HTML tags from the user' do + actual = '<dl><dt>Term</dt><dd>Definition</dd></dl>' + expect(markdown(actual)).to match(actual) + end + + it 'should sanitize tags that are not whitelisted' do + actual = '<textarea>no inputs allowed</textarea> <blink>no blinks</blink>' + expected = 'no inputs allowed no blinks' + expect(markdown(actual)).to match(expected) + expect(markdown(actual)).not_to match('<.textarea>') + expect(markdown(actual)).not_to match('<.blink>') + end + + it 'should allow whitelisted tag attributes from the user' do + actual = '<a class="custom">link text</a>' + expect(markdown(actual)).to match(actual) + end + + it 'should sanitize tag attributes that are not whitelisted' do + actual = '<a href="http://example.com/bar.html" foo="bar">link text</a>' + expected = '<a href="http://example.com/bar.html">link text</a>' + expect(markdown(actual)).to match(expected) + end + + it 'should sanitize javascript in attributes' do + actual = %q(<a href="javascript:alert('foo')">link text</a>) + expected = '<a>link text</a>' + expect(markdown(actual)).to match(expected) + end end describe 'markdown for empty repository' do |