diff options
author | Douwe Maan <douwe@selenight.nl> | 2018-06-15 14:05:26 +0200 |
---|---|---|
committer | Douwe Maan <douwe@selenight.nl> | 2018-06-18 10:54:04 +0200 |
commit | e1a77fa757c65cf243e6b74bf83a394da923ef0f (patch) | |
tree | 04bc841528fbde88b083e350acffa67cd5aa5cae | |
parent | bc2cf82f68d64622e3ca2facb601c711bf1682e6 (diff) | |
download | gitlab-ce-e1a77fa757c65cf243e6b74bf83a394da923ef0f.tar.gz |
Whitelist text-align property for th and td
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 3 | ||||
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 12 |
2 files changed, 13 insertions, 2 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 6786b9d07b6..afc2ca4e362 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -25,10 +25,11 @@ module Banzai # Only push these customizations once return if customized?(whitelist[:transformers]) - # Allow table alignment; we whitelist specific style properties in a + # Allow table alignment; we whitelist specific text-align values in a # transformer below whitelist[:attributes]['th'] = %w(style) whitelist[:attributes]['td'] = %w(style) + whitelist[:css] = { properties: ['text-align'] } # Allow span elements whitelist[:elements].push('span') diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 17a620ef603..d930c608b18 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do expect(doc.at_css('td')['style']).to eq 'text-align: center' end + it 'disallows `text-align` property in `style` attribute on other elements' do + html = <<~HTML + <div style="text-align: center">Text</div> + HTML + + doc = filter(html) + + expect(doc.at_css('div')['style']).to be_nil + end + it 'allows `span` elements' do exp = act = %q{<span>Hello</span>} expect(filter(act).to_html).to eq exp @@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do 'protocol-based JS injection: spaces and entities' => { input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a href="">foo</a>' + output: '<a href>foo</a>' }, 'protocol whitespace' => { |