diff options
author | Benedict Etzel <developer@beheh.de> | 2016-01-22 13:47:14 +0100 |
---|---|---|
committer | Benedict Etzel <developer@beheh.de> | 2016-01-23 20:38:06 +0100 |
commit | 6435f78a8c66be92613c3a8ea4ec8171d0c38fea (patch) | |
tree | fe633fc0e6bfcb481e196616105b654dbda85877 | |
parent | dc78ee4e8b4911edf04949e2aa036997623d60ae (diff) | |
download | gitlab-ce-6435f78a8c66be92613c3a8ea4ec8171d0c38fea.tar.gz |
Whitelist raw "abbr" elements when parsing Markdown
Closes #12517
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 4 | ||||
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 5 |
3 files changed, 10 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index 7af6a22f37f..d78c38cf1dc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,7 @@ v 8.5.0 (unreleased) - Upgrade gitlab_git to 7.2.23 to fix commit message mentions in first branch push - New UI for pagination - Fix diff comments loaded by AJAX to load comment with diff in discussion tab + - Whitelist raw "abbr" elements when parsing Markdown (Benedict Etzel) v 8.4.0 - Allow LDAP users to change their email if it was not set by the LDAP server diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 3f49d492f2f..d1e11eedec3 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -43,6 +43,10 @@ module Banzai # Allow span elements whitelist[:elements].push('span') + # Allow abbr elements with title attribute + whitelist[:elements].push('abbr') + whitelist[:attributes]['abbr'] = %w(title) + # Allow any protocol in `a` elements... whitelist[:protocols].delete('a') diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 760d60a4190..9c63d227044 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -75,6 +75,11 @@ describe Banzai::Filter::SanitizationFilter, lib: true do expect(filter(act).to_html).to eq exp end + it 'allows `abbr` elements' do + exp = act = %q{<abbr title="HyperText Markup Language">HTML</abbr>} + expect(filter(act).to_html).to eq exp + end + it 'removes `rel` attribute from `a` elements' do act = %q{<a href="#" rel="nofollow">Link</a>} exp = %q{<a href="#">Link</a>} |