diff options
author | Phil Hughes <me@iamphill.com> | 2018-01-09 08:39:22 +0000 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-01-16 17:05:01 -0800 |
commit | 54636e1d4293a8465a772020a54b6193d7df9878 (patch) | |
tree | 9ff6569b0dc882001c573fa2fbf89267962887d0 /app | |
parent | 532a0b60184800b0442723498d5257c20d20a8aa (diff) | |
download | gitlab-ce-54636e1d4293a8465a772020a54b6193d7df9878.tar.gz |
Merge branch 'fl-ipythin-10-3' into 'security-10-3'
Port of [10.2] Sanitizes IPython notebook output
See merge request gitlab/gitlabhq!2285
(cherry picked from commit 1c46e031c70706450a8e0ae730f4c323b72f9e4c)
aac035fe Port of [10.2] Sanitizes IPython notebook output
Diffstat (limited to 'app')
-rw-r--r-- | app/assets/javascripts/notebook/cells/markdown.vue | 8 | ||||
-rw-r--r-- | app/assets/javascripts/notebook/cells/output/html.vue | 27 |
2 files changed, 33 insertions, 2 deletions
diff --git a/app/assets/javascripts/notebook/cells/markdown.vue b/app/assets/javascripts/notebook/cells/markdown.vue index d0ec70f1fcf..3d09d24b6ab 100644 --- a/app/assets/javascripts/notebook/cells/markdown.vue +++ b/app/assets/javascripts/notebook/cells/markdown.vue @@ -1,6 +1,7 @@ <script> /* global katex */ import marked from 'marked'; + import sanitize from 'sanitize-html'; import Prompt from './prompt.vue'; const renderer = new marked.Renderer(); @@ -82,7 +83,12 @@ }, computed: { markdown() { - return marked(this.cell.source.join('').replace(/\\/g, '\\\\')); + return sanitize(marked(this.cell.source.join('').replace(/\\/g, '\\\\')), { + allowedTags: false, + allowedAttributes: { + '*': ['class'], + }, + }); }, }, }; diff --git a/app/assets/javascripts/notebook/cells/output/html.vue b/app/assets/javascripts/notebook/cells/output/html.vue index ebba5954de9..ed4695a4eb8 100644 --- a/app/assets/javascripts/notebook/cells/output/html.vue +++ b/app/assets/javascripts/notebook/cells/output/html.vue @@ -1,10 +1,16 @@ <script> +<<<<<<< HEAD import Prompt from '../prompt.vue'; +======= +import sanitize from 'sanitize-html'; +import Prompt from '../prompt.vue'; +>>>>>>> Merge branch 'fl-ipythin-10-3' into 'security-10-3' export default { components: { prompt: Prompt, }, +<<<<<<< HEAD props: { rawCode: { type: String, @@ -12,11 +18,30 @@ }, }, }; +======= + }, + components: { + prompt: Prompt, + }, + computed: { + sanitizedOutput() { + return sanitize(this.rawCode, { + allowedTags: sanitize.defaults.allowedTags.concat([ + 'img', 'svg', + ]), + allowedAttributes: { + img: ['src'], + }, + }); + }, + }, +}; +>>>>>>> Merge branch 'fl-ipythin-10-3' into 'security-10-3' </script> <template> <div class="output"> <prompt /> - <div v-html="rawCode"></div> + <div v-html="sanitizedOutput"></div> </div> </template> |