diff options
author | Robert Speicher <rspeicher@gmail.com> | 2015-05-20 20:55:11 -0400 |
---|---|---|
committer | Job van der Voort <jobvandervoort@gmail.com> | 2015-05-21 10:42:51 +0200 |
commit | 0b63bb6e772b80048937e17f636f01253c16d947 (patch) | |
tree | 0b41afa242f4583d15edacde69ffee6a1dc6724e | |
parent | 98f12863469323c589f176f9cc24b8efc5308e3a (diff) | |
download | gitlab-ce-0b63bb6e772b80048937e17f636f01253c16d947.tar.gz |
Customize the sanitization whitelist only once
Fixes #1651
-rw-r--r-- | lib/gitlab/markdown/sanitization_filter.rb | 35 |
1 files changed, 22 insertions, 13 deletions
diff --git a/lib/gitlab/markdown/sanitization_filter.rb b/lib/gitlab/markdown/sanitization_filter.rb index 6f33155badf..88781fea0c8 100644 --- a/lib/gitlab/markdown/sanitization_filter.rb +++ b/lib/gitlab/markdown/sanitization_filter.rb @@ -8,28 +8,33 @@ module Gitlab # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter def whitelist - whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST + whitelist = super - # Allow code highlighting - whitelist[:attributes]['pre'] = %w(class) - whitelist[:attributes]['span'] = %w(class) + # Only push these customizations once + unless customized?(whitelist[:transformers]) + # Allow code highlighting + whitelist[:attributes]['pre'] = %w(class) + whitelist[:attributes]['span'] = %w(class) - # Allow table alignment - whitelist[:attributes]['th'] = %w(style) - whitelist[:attributes]['td'] = %w(style) + # Allow table alignment + whitelist[:attributes]['th'] = %w(style) + whitelist[:attributes]['td'] = %w(style) - # Allow span elements - whitelist[:elements].push('span') + # Allow span elements + whitelist[:elements].push('span') - # Remove `rel` attribute from `a` elements - whitelist[:transformers].push(remove_rel) + # Remove `rel` attribute from `a` elements + whitelist[:transformers].push(remove_rel) - # Remove `class` attribute from non-highlight spans - whitelist[:transformers].push(clean_spans) + # Remove `class` attribute from non-highlight spans + whitelist[:transformers].push(clean_spans) + end whitelist end + private + def remove_rel lambda do |env| if env[:node_name] == 'a' @@ -48,6 +53,10 @@ module Gitlab end end end + + def customized?(transformers) + transformers.last.source_location[0] == __FILE__ + end end end end |