Further limit the limited whitelist for project/group descriptionsrs-more-nofollow

2 files changed, 18 insertions, 2 deletions

diff --git a/lib/gitlab/markdown/sanitization_filter.rb b/lib/gitlab/markdown/sanitization_filter.rb
index fc29d09081a..74b3a8d274f 100644
--- a/lib/gitlab/markdown/sanitization_filter.rb
+++ b/lib/gitlab/markdown/sanitization_filter.rb
@@ -12,6 +12,7 @@ module Gitlab
         # See http://git.io/vkuAN
         if pipeline == :description
           whitelist = LIMITED
+          whitelist[:elements] -= %w(pre code img ol ul li)
         else
           whitelist = super
         end
diff --git a/spec/lib/gitlab/markdown/sanitization_filter_spec.rb b/spec/lib/gitlab/markdown/sanitization_filter_spec.rb
index 8627cb288ab..e50c82d0b3c 100644
--- a/spec/lib/gitlab/markdown/sanitization_filter_spec.rb
+++ b/spec/lib/gitlab/markdown/sanitization_filter_spec.rb
@@ -95,8 +95,23 @@ module Gitlab::Markdown
 
     context 'when pipeline is :description' do
       it 'uses a stricter whitelist' do
-        doc = filter('<h1>My Project</h1>', pipeline: :description)
-        expect(doc.to_html.strip).to eq 'My Project'
+        doc = filter('<h1>Description</h1>', pipeline: :description)
+        expect(doc.to_html.strip).to eq 'Description'
+      end
+
+      %w(pre code img ol ul li).each do |elem|
+        it "removes '#{elem}' elements" do
+          act = "<#{elem}>Description</#{elem}>"
+          expect(filter(act, pipeline: :description).to_html.strip).
+            to eq 'Description'
+        end
+      end
+
+      %w(b i strong em a ins del sup sub p).each do |elem|
+        it "still allows '#{elem}' elements" do
+          exp = act = "<#{elem}>Description</#{elem}>"
+          expect(filter(act, pipeline: :description).to_html).to eq exp
+        end
       end
     end
   end