diff options
author | Robert Speicher <rspeicher@gmail.com> | 2015-06-02 13:41:12 -0400 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2015-06-02 13:41:12 -0400 |
commit | 9e7a9c63a59f4e673271b3600b735e3fa6702432 (patch) | |
tree | 3ea0626b8d56d3c14309ccf07e6c3fcb4fd6f465 | |
parent | 79c4e3899fa7697afdefb13d64c4add08ca84aac (diff) | |
download | gitlab-ce-9e7a9c63a59f4e673271b3600b735e3fa6702432.tar.gz |
Further limit the limited whitelist for project/group descriptionsrs-more-nofollow
-rw-r--r-- | lib/gitlab/markdown/sanitization_filter.rb | 1 | ||||
-rw-r--r-- | spec/lib/gitlab/markdown/sanitization_filter_spec.rb | 19 |
2 files changed, 18 insertions, 2 deletions
diff --git a/lib/gitlab/markdown/sanitization_filter.rb b/lib/gitlab/markdown/sanitization_filter.rb index fc29d09081a..74b3a8d274f 100644 --- a/lib/gitlab/markdown/sanitization_filter.rb +++ b/lib/gitlab/markdown/sanitization_filter.rb @@ -12,6 +12,7 @@ module Gitlab # See http://git.io/vkuAN if pipeline == :description whitelist = LIMITED + whitelist[:elements] -= %w(pre code img ol ul li) else whitelist = super end diff --git a/spec/lib/gitlab/markdown/sanitization_filter_spec.rb b/spec/lib/gitlab/markdown/sanitization_filter_spec.rb index 8627cb288ab..e50c82d0b3c 100644 --- a/spec/lib/gitlab/markdown/sanitization_filter_spec.rb +++ b/spec/lib/gitlab/markdown/sanitization_filter_spec.rb @@ -95,8 +95,23 @@ module Gitlab::Markdown context 'when pipeline is :description' do it 'uses a stricter whitelist' do - doc = filter('<h1>My Project</h1>', pipeline: :description) - expect(doc.to_html.strip).to eq 'My Project' + doc = filter('<h1>Description</h1>', pipeline: :description) + expect(doc.to_html.strip).to eq 'Description' + end + + %w(pre code img ol ul li).each do |elem| + it "removes '#{elem}' elements" do + act = "<#{elem}>Description</#{elem}>" + expect(filter(act, pipeline: :description).to_html.strip). + to eq 'Description' + end + end + + %w(b i strong em a ins del sup sub p).each do |elem| + it "still allows '#{elem}' elements" do + exp = act = "<#{elem}>Description</#{elem}>" + expect(filter(act, pipeline: :description).to_html).to eq exp + end end end end |