diff options
author | Simon Knox <psimyn@gmail.com> | 2019-08-06 15:07:18 +1000 |
---|---|---|
committer | Simon Knox <psimyn@gmail.com> | 2019-08-06 15:07:18 +1000 |
commit | fc77b9df8b6a49c86e9c1eb949f1b1162470d2ee (patch) | |
tree | 96aad0a31543fa520626dc1c5efabff1367a0bab /lib/banzai/filter/base_sanitization_filter.rb | |
parent | 9c71bf3e6df2dcb20ea19df21a127823bbe5e615 (diff) | |
parent | fa216b0e86433192ba4e39a05f42217fb4685173 (diff) | |
download | gitlab-ce-alerts-dropdown-to-modal-part-2-ce.tar.gz |
Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce into alerts-dropdown-to-modal-part-2-cealerts-dropdown-to-modal-part-2-ce
Diffstat (limited to 'lib/banzai/filter/base_sanitization_filter.rb')
-rw-r--r-- | lib/banzai/filter/base_sanitization_filter.rb | 32 |
1 files changed, 2 insertions, 30 deletions
diff --git a/lib/banzai/filter/base_sanitization_filter.rb b/lib/banzai/filter/base_sanitization_filter.rb index 420e92cb1e8..2dabca3552d 100644 --- a/lib/banzai/filter/base_sanitization_filter.rb +++ b/lib/banzai/filter/base_sanitization_filter.rb @@ -11,6 +11,7 @@ module Banzai # Extends HTML::Pipeline::SanitizationFilter with common rules. class BaseSanitizationFilter < HTML::Pipeline::SanitizationFilter include Gitlab::Utils::StrongMemoize + extend Gitlab::Utils::SanitizeNodeLink UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze @@ -40,7 +41,7 @@ module Banzai # Allow any protocol in `a` elements # and then remove links with unsafe protocols whitelist[:protocols].delete('a') - whitelist[:transformers].push(self.class.remove_unsafe_links) + whitelist[:transformers].push(self.class.method(:remove_unsafe_links)) # Remove `rel` attribute from `a` elements whitelist[:transformers].push(self.class.remove_rel) @@ -54,35 +55,6 @@ module Banzai end class << self - def remove_unsafe_links - lambda do |env| - node = env[:node] - - return unless node.name == 'a' - return unless node.has_attribute?('href') - - begin - node['href'] = node['href'].strip - uri = Addressable::URI.parse(node['href']) - - return unless uri.scheme - - # Remove all invalid scheme characters before checking against the - # list of unsafe protocols. - # - # See https://tools.ietf.org/html/rfc3986#section-3.1 - scheme = uri.scheme - .strip - .downcase - .gsub(/[^A-Za-z0-9\+\.\-]+/, '') - - node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme) - rescue Addressable::URI::InvalidURIError - node.remove_attribute('href') - end - end - end - def remove_rel lambda do |env| if env[:node_name] == 'a' |