Whitelist raw "abbr" elements when parsing Markdown

Closes #12517

3 files changed, 10 insertions, 0 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 7af6a22f37f..d78c38cf1dc 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ v 8.5.0 (unreleased)
   - Upgrade gitlab_git to 7.2.23 to fix commit message mentions in first branch push
   - New UI for pagination
   - Fix diff comments loaded by AJAX to load comment with diff in discussion tab
+  - Whitelist raw "abbr" elements when parsing Markdown (Benedict Etzel)
 
 v 8.4.0
   - Allow LDAP users to change their email if it was not set by the LDAP server
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 3f49d492f2f..d1e11eedec3 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -43,6 +43,10 @@ module Banzai
         # Allow span elements
         whitelist[:elements].push('span')
 
+        # Allow abbr elements with title attribute
+        whitelist[:elements].push('abbr')
+        whitelist[:attributes]['abbr'] = %w(title)
+
         # Allow any protocol in `a` elements...
         whitelist[:protocols].delete('a')
 
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 760d60a4190..9c63d227044 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -75,6 +75,11 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
       expect(filter(act).to_html).to eq exp
     end
 
+    it 'allows `abbr` elements' do
+      exp = act = %q{<abbr title="HyperText Markup Language">HTML</abbr>}
+      expect(filter(act).to_html).to eq exp
+    end
+
     it 'removes `rel` attribute from `a` elements' do
       act = %q{<a href="#" rel="nofollow">Link</a>}
       exp = %q{<a href="#">Link</a>}