diff options
author | Vinnie Okada <vokada@mrvinn.com> | 2015-03-21 08:39:54 -0600 |
---|---|---|
committer | Vinnie Okada <vokada@mrvinn.com> | 2015-03-21 08:39:54 -0600 |
commit | cc29ce491786d631586c3b0d0da310b8b790a673 (patch) | |
tree | c7de114ccfc50b43d52c409300ec6bb20ebcffd9 | |
parent | 52bf95ae380dc06243d0c4e5c8eb80f8be15a4f3 (diff) | |
download | gitlab-ce-cc29ce491786d631586c3b0d0da310b8b790a673.tar.gz |
Don't allow style attributes in inline HTML
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | lib/gitlab/markdown.rb | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index c4e47346fd8..0046b73ba75 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 7.10.0 (unreleased) + - Allow HTML tags in Markdown input v 7.9.0 (unreleased) - Add HipChat integration documentation (Stan Hu) diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb index cd70fd5e85b..65dce9291e6 100644 --- a/lib/gitlab/markdown.rb +++ b/lib/gitlab/markdown.rb @@ -88,7 +88,7 @@ module Gitlab ] whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST - whitelist[:attributes][:all].push('class', 'id', 'style') + whitelist[:attributes][:all].push('class', 'id') # Remove the rel attribute that the sanitize gem adds, and remove the # href attribute if it contains inline javascript |