diff options
author | Robert Speicher <robert@gitlab.com> | 2017-08-31 15:27:34 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2017-09-07 20:22:16 -0400 |
commit | 8629d5822a1a7af5708ebb785982b25e0d2400bf (patch) | |
tree | 58f452f0c73ea2c8f3d032b9b723f16bdc3fefcd /lib/banzai | |
parent | 4efd18d7e140bf2b6b95637af630e7294fcf28cc (diff) | |
download | gitlab-ce-8629d5822a1a7af5708ebb785982b25e0d2400bf.tar.gz |
Merge branch 'rs-issue-36098' into 'security-9-5'
[9.5] Limit `style` attribute on `th` and `td` elements to specific properties
See merge request gitlab/gitlabhq!2155
Diffstat (limited to 'lib/banzai')
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 2d6e8ffc90f..768baa4e227 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -5,6 +5,7 @@ module Banzai # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze + TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/ def whitelist whitelist = super @@ -24,7 +25,8 @@ module Banzai # Only push these customizations once return if customized?(whitelist[:transformers]) - # Allow table alignment + # Allow table alignment; we whitelist specific style properties in a + # transformer below whitelist[:attributes]['th'] = %w(style) whitelist[:attributes]['td'] = %w(style) @@ -52,6 +54,9 @@ module Banzai # Remove `rel` attribute from `a` elements whitelist[:transformers].push(self.class.remove_rel) + # Remove any `style` properties not required for table alignment + whitelist[:transformers].push(self.class.remove_unsafe_table_style) + whitelist end @@ -81,6 +86,21 @@ module Banzai end end end + + def remove_unsafe_table_style + lambda do |env| + node = env[:node] + + return unless node.name == 'th' || node.name == 'td' + return unless node.has_attribute?('style') + + if node['style'] =~ TABLE_ALIGNMENT_PATTERN + node['style'] = "text-align: #{$~[:alignment]}" + else + node.remove_attribute('style') + end + end + end end end end |