Merge branch 'fl-ipythin-10-3' into 'security-10-3'

Port of [10.2] Sanitizes IPython notebook output See merge request gitlab/gitlabhq!2285 (cherry picked from commit 1c46e031c70706450a8e0ae730f4c323b72f9e4c) aac035fe Port of [10.2] Sanitizes IPython notebook output
author: Phil Hughes <me@iamphill.com> 2018-01-09 08:39:22 +0000
committer: Stan Hu <stanhu@gmail.com> 2018-01-16 17:05:01 -0800
commit: 54636e1d4293a8465a772020a54b6193d7df9878 (patch)
tree: 9ff6569b0dc882001c573fa2fbf89267962887d0 /app/assets/javascripts/notebook
parent: 532a0b60184800b0442723498d5257c20d20a8aa (diff)
download: gitlab-ce-54636e1d4293a8465a772020a54b6193d7df9878.tar.gz
2 files changed, 33 insertions, 2 deletions
diff --git a/app/assets/javascripts/notebook/cells/markdown.vue b/app/assets/javascripts/notebook/cells/markdown.vue
index d0ec70f1fcf..3d09d24b6ab 100644
--- a/app/assets/javascripts/notebook/cells/markdown.vue
+++ b/app/assets/javascripts/notebook/cells/markdown.vue
@@ -1,6 +1,7 @@
 <script>
   /* global katex */
   import marked from 'marked';
+  import sanitize from 'sanitize-html';
   import Prompt from './prompt.vue';
 
   const renderer = new marked.Renderer();
@@ -82,7 +83,12 @@
     },
     computed: {
       markdown() {
-        return marked(this.cell.source.join('').replace(/\\/g, '\\\\'));
+        return sanitize(marked(this.cell.source.join('').replace(/\\/g, '\\\\')), {
+          allowedTags: false,
+          allowedAttributes: {
+            '*': ['class'],
+          },
+        });
       },
     },
   };
diff --git a/app/assets/javascripts/notebook/cells/output/html.vue b/app/assets/javascripts/notebook/cells/output/html.vue
index ebba5954de9..ed4695a4eb8 100644
--- a/app/assets/javascripts/notebook/cells/output/html.vue
+++ b/app/assets/javascripts/notebook/cells/output/html.vue
@@ -1,10 +1,16 @@
 <script>
+<<<<<<< HEAD
   import Prompt from '../prompt.vue';
+=======
+import sanitize from 'sanitize-html';
+import Prompt from '../prompt.vue';
+>>>>>>> Merge branch 'fl-ipythin-10-3' into 'security-10-3'
 
   export default {
     components: {
       prompt: Prompt,
     },
+<<<<<<< HEAD
     props: {
       rawCode: {
         type: String,
@@ -12,11 +18,30 @@
       },
     },
   };
+=======
+  },
+  components: {
+    prompt: Prompt,
+  },
+  computed: {
+    sanitizedOutput() {
+      return sanitize(this.rawCode, {
+        allowedTags: sanitize.defaults.allowedTags.concat([
+          'img', 'svg',
+        ]),
+        allowedAttributes: {
+          img: ['src'],
+        },
+      });
+    },
+  },
+};
+>>>>>>> Merge branch 'fl-ipythin-10-3' into 'security-10-3'
 </script>
 
 <template>
   <div class="output">
     <prompt />
-    <div v-html="rawCode"></div>
+    <div v-html="sanitizedOutput"></div>
   </div>
 </template>
author	Phil Hughes <me@iamphill.com>	2018-01-09 08:39:22 +0000
committer	Stan Hu <stanhu@gmail.com>	2018-01-16 17:05:01 -0800
commit	54636e1d4293a8465a772020a54b6193d7df9878 (patch)
tree	9ff6569b0dc882001c573fa2fbf89267962887d0 /app/assets/javascripts/notebook
parent	532a0b60184800b0442723498d5257c20d20a8aa (diff)
download	gitlab-ce-54636e1d4293a8465a772020a54b6193d7df9878.tar.gz