diff options
| author | Sean McGivern <sean@gitlab.com> | 2016-06-13 13:06:40 +0100 |
|---|---|---|
| committer | Sean McGivern <sean@gitlab.com> | 2016-06-13 13:06:40 +0100 |
| commit | 03d2bf141cde7bb12f88f25bcb08a612e65044c4 (patch) | |
| tree | 2465f9a02bc438010ce965b5cd206805ea90b6a0 | |
| parent | cfc99bbd1390bc548a703fdc7857c7db5b0e7c13 (diff) | |
| download | gitlab-ce-fix-markdown-spec.tar.gz | |
Fix description and GFM pipelines conflictingfix-markdown-spec
Consider this command:
bundle exec rails r "include GitlabMarkdownHelper
puts markdown('<span>this is a span</span>', pipeline: :description)
puts markdown('<span>this is a span</span>')"
And the same in the opposite order:
bundle exec rails r "include GitlabMarkdownHelper
puts markdown('<span>this is a span</span>')
puts markdown('<span>this is a span</span>', pipeline: :description)"
Before this change, they would both output:
<p><span>this is a span</span></p>
<p>this is a span</p>
That's because `span` is added to the list of whitelisted elements in
the `SanitizationFilter`, but this method tries not to make the same
changes multiple times. Unfortunately,
`HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the
`DescriptionPipeline`, uses the same Ruby objects for all of its hash
values _except_ `:elements`.
That means that whichever of `DescriptionPipeline` and `GfmPipeline` is
called first would have `span` in its whitelisted elements, and the
second wouldn't.
Fix this by creating an entirely separate hash, before either pipeline
is invoked.
| -rw-r--r-- | lib/banzai/pipeline/description_pipeline.rb | 17 |
1 files changed, 5 insertions, 12 deletions
diff --git a/lib/banzai/pipeline/description_pipeline.rb b/lib/banzai/pipeline/description_pipeline.rb index f2395867658..042fb2e6e14 100644 --- a/lib/banzai/pipeline/description_pipeline.rb +++ b/lib/banzai/pipeline/description_pipeline.rb @@ -1,23 +1,16 @@ module Banzai module Pipeline class DescriptionPipeline < FullPipeline + WHITELIST = Banzai::Filter::SanitizationFilter::LIMITED.deep_dup.merge( + elements: Banzai::Filter::SanitizationFilter::LIMITED[:elements] - %w(pre code img ol ul li) + ) + def self.transform_context(context) super(context).merge( # SanitizationFilter - whitelist: whitelist + whitelist: WHITELIST ) end - - private - - def self.whitelist - # Descriptions are more heavily sanitized, allowing only a few elements. - # See http://git.io/vkuAN - whitelist = Banzai::Filter::SanitizationFilter::LIMITED - whitelist[:elements] -= %w(pre code img ol ul li) - - whitelist - end end end end |