Merge branch 'rs-issue-36098' into 'security-9-5'

[9.5] Limit `style` attribute on `th` and `td` elements to specific properties See merge request gitlab/gitlabhq!2155
author: Robert Speicher <robert@gitlab.com> 2017-08-31 15:27:34 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2017-09-07 20:22:16 -0400
commit: 8629d5822a1a7af5708ebb785982b25e0d2400bf (patch)
tree: 58f452f0c73ea2c8f3d032b9b723f16bdc3fefcd /lib/banzai
parent: 4efd18d7e140bf2b6b95637af630e7294fcf28cc (diff)
download: gitlab-ce-8629d5822a1a7af5708ebb785982b25e0d2400bf.tar.gz
1 files changed, 21 insertions, 1 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 2d6e8ffc90f..768baa4e227 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -5,6 +5,7 @@ module Banzai
     # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
     class SanitizationFilter < HTML::Pipeline::SanitizationFilter
       UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
+      TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/
 
       def whitelist
         whitelist = super
@@ -24,7 +25,8 @@ module Banzai
         # Only push these customizations once
         return if customized?(whitelist[:transformers])
 
-        # Allow table alignment
+        # Allow table alignment; we whitelist specific style properties in a
+        # transformer below
         whitelist[:attributes]['th'] = %w(style)
         whitelist[:attributes]['td'] = %w(style)
 
@@ -52,6 +54,9 @@ module Banzai
         # Remove `rel` attribute from `a` elements
         whitelist[:transformers].push(self.class.remove_rel)
 
+        # Remove any `style` properties not required for table alignment
+        whitelist[:transformers].push(self.class.remove_unsafe_table_style)
+
         whitelist
       end
 
@@ -81,6 +86,21 @@ module Banzai
             end
           end
         end
+
+        def remove_unsafe_table_style
+          lambda do |env|
+            node = env[:node]
+
+            return unless node.name == 'th' || node.name == 'td'
+            return unless node.has_attribute?('style')
+
+            if node['style'] =~ TABLE_ALIGNMENT_PATTERN
+              node['style'] = "text-align: #{$~[:alignment]}"
+            else
+              node.remove_attribute('style')
+            end
+          end
+        end
       end
     end
   end
author	Robert Speicher <robert@gitlab.com>	2017-08-31 15:27:34 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2017-09-07 20:22:16 -0400
commit	8629d5822a1a7af5708ebb785982b25e0d2400bf (patch)
tree	58f452f0c73ea2c8f3d032b9b723f16bdc3fefcd /lib/banzai
parent	4efd18d7e140bf2b6b95637af630e7294fcf28cc (diff)
download	gitlab-ce-8629d5822a1a7af5708ebb785982b25e0d2400bf.tar.gz