Update SVG sanitizer to conform to SVG 1.1

Use a custom Loofah scrubber since sanitize 2.x transformers are inadequate to handle case-sensitive SVG attributes. sanitize parses documents as HTML instead of XML, which causes all SVG attribute names (e.g. viewBox) to be downcased. * SVG element list: https://www.w3.org/TR/SVG/eltindex.html * SVG attribute list: https://www.w3.org/TR/SVG/attindex.html Closes #14555
author: Stan Hu <stanhu@gmail.com> 2016-03-24 22:39:58 -0700
committer: Stan Hu <stanhu@gmail.com> 2016-05-06 23:20:24 -0700
commit: 21d89d0286e385d6d0a4debdbf7c801939c3e279 (patch)
tree: b1b0190c153ae9bccb552f60a4dbf4e80edd56e0 /app/helpers
parent: 2e1162272e2f90a3677f3def491907729b249434 (diff)
download: gitlab-ce-21d89d0286e385d6d0a4debdbf7c801939c3e279.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 474c6f27374..93241b3afb7 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -131,7 +131,7 @@ module BlobHelper
   # elements and attributes. Note that this whitelist is by no means complete
   # and may omit some elements.
   def sanitize_svg(blob)
-    blob.data = Loofah.scrub_fragment(blob.data, :strip).to_xml
+    blob.data = Gitlab::Sanitizers::SVG.clean(blob.data)
     blob
   end
author	Stan Hu <stanhu@gmail.com>	2016-03-24 22:39:58 -0700
committer	Stan Hu <stanhu@gmail.com>	2016-05-06 23:20:24 -0700
commit	21d89d0286e385d6d0a4debdbf7c801939c3e279 (patch)
tree	b1b0190c153ae9bccb552f60a4dbf4e80edd56e0 /app/helpers
parent	2e1162272e2f90a3677f3def491907729b249434 (diff)
download	gitlab-ce-21d89d0286e385d6d0a4debdbf7c801939c3e279.tar.gz