diff options
author | Vinnie Okada <vokada@mrvinn.com> | 2015-03-17 21:17:00 -0600 |
---|---|---|
committer | Vinnie Okada <vokada@mrvinn.com> | 2015-03-19 21:24:07 -0600 |
commit | 52bf95ae380dc06243d0c4e5c8eb80f8be15a4f3 (patch) | |
tree | bc553c8226b8f4fb23661731b6d489e25bfe2553 | |
parent | feeffc442618d92040cd1cc38158b689a09988fd (diff) | |
download | gitlab-ce-52bf95ae380dc06243d0c4e5c8eb80f8be15a4f3.tar.gz |
Change HTML sanitization
Use the `SanitizationFilter` class from the html-pipeline gem for inline
HTML instead of calling the Rails `sanitize` method.
-rw-r--r-- | app/helpers/gitlab_markdown_helper.rb | 2 | ||||
-rw-r--r-- | doc/markdown/markdown.md | 59 | ||||
-rw-r--r-- | lib/gitlab/markdown.rb | 36 |
3 files changed, 25 insertions, 72 deletions
diff --git a/app/helpers/gitlab_markdown_helper.rb b/app/helpers/gitlab_markdown_helper.rb index 7bafbbd5f3f..6df506e835d 100644 --- a/app/helpers/gitlab_markdown_helper.rb +++ b/app/helpers/gitlab_markdown_helper.rb @@ -49,7 +49,7 @@ module GitlabMarkdownHelper space_after_headers: true, superscript: true) end - @markdown.render(sanitize_html(text)).html_safe + @markdown.render(text).html_safe end # Return the first line of +text+, up to +max_chars+, after parsing the line diff --git a/doc/markdown/markdown.md b/doc/markdown/markdown.md index ddf1bbc6ee4..4ab73df8af9 100644 --- a/doc/markdown/markdown.md +++ b/doc/markdown/markdown.md @@ -440,64 +440,7 @@ Note that inline HTML is disabled in the default Gitlab configuration, although <dd>Does *not* work **very** well. Use HTML <em>tags</em>.</dd> </dl> -The following tags can be used: - -* `<a/>` -* `<abbr/>` -* `<acronym/>` -* `<address/>` -* `<b/>` -* `<big/>` -* `<blockquote/>` -* `<br/>` -* `<cite/>` -* `<code/>` -* `<dd/>` -* `<del/>` -* `<dfn/>` -* `<div/>` -* `<dl/>` -* `<dt/>` -* `<em/>` -* `<h1/>` -* `<h2/>` -* `<h3/>` -* `<h4/>` -* `<h5/>` -* `<h6/>` -* `<hr/>` -* `<i/>` -* `<img/>` -* `<ins/>` -* `<kbd/>` -* `<li/>` -* `<ol/>` -* `<p/>` -* `<pre/>` -* `<samp/>` -* `<small/>` -* `<span/>` -* `<strong/>` -* `<sub/>` -* `<sup/>` -* `<tt/>` -* `<ul/>` -* `<var/>` - -You can also use the following HTML attributes in your inline tags: - -* `abbr` -* `alt` -* `cite` -* `class` -* `datetime` -* `height` -* `href` -* `name` -* `src` -* `title` -* `width` -* `xml:lang` +See the documentation for HTML::Pipeline's [SanitizationFilter](http://www.rubydoc.info/gems/html-pipeline/HTML/Pipeline/SanitizationFilter#WHITELIST-constant) class for the list of allowed HTML tags and attributes. In addition to the default `SanitizationFilter` whitelist, GitLab allows the `class`, `id`, and `style` attributes. ## Horizontal Rule diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb index 32f04c866e3..cd70fd5e85b 100644 --- a/lib/gitlab/markdown.rb +++ b/lib/gitlab/markdown.rb @@ -79,15 +79,34 @@ module Gitlab # Used markdown pipelines in GitLab: # GitlabEmojiFilter - performs emoji replacement. + # SanitizationFilter - remove unsafe HTML tags and attributes # # see https://gitlab.com/gitlab-org/html-pipeline-gitlab for more filters filters = [ - HTML::Pipeline::Gitlab::GitlabEmojiFilter + HTML::Pipeline::Gitlab::GitlabEmojiFilter, + HTML::Pipeline::SanitizationFilter ] + whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST + whitelist[:attributes][:all].push('class', 'id', 'style') + + # Remove the rel attribute that the sanitize gem adds, and remove the + # href attribute if it contains inline javascript + fix_anchors = lambda do |env| + name, node = env[:node_name], env[:node] + if name == 'a' + node.remove_attribute('rel') + if node['href'] && node['href'].match('javascript:') + node.remove_attribute('href') + end + end + end + whitelist[:transformers].push(fix_anchors) + markdown_context = { asset_root: Gitlab.config.gitlab.url, - asset_host: Gitlab::Application.config.asset_host + asset_host: Gitlab::Application.config.asset_host, + whitelist: whitelist } markdown_pipeline = HTML::Pipeline::Gitlab.new(filters).pipeline @@ -97,22 +116,13 @@ module Gitlab if options[:xhtml] saveoptions |= Nokogiri::XML::Node::SaveOptions::AS_XHTML end - text = result[:output].to_html(save_with: saveoptions) - sanitize_html(text) - end - - # Remove HTML tags and attributes that are not whitelisted - def sanitize_html(text) - allowed_attributes = ActionView::Base.sanitized_allowed_attributes - allowed_tags = ActionView::Base.sanitized_allowed_tags + text = result[:output].to_html(save_with: saveoptions) - text = sanitize text.html_safe, - attributes: allowed_attributes + %w(id class style), - tags: allowed_tags + %w(table tr td th) if options[:parse_tasks] text = parse_tasks(text) end + text end |