diff options
author | Vinnie Okada <vokada@mrvinn.com> | 2015-03-22 09:02:32 -0600 |
---|---|---|
committer | Vinnie Okada <vokada@mrvinn.com> | 2015-03-22 20:17:56 -0600 |
commit | a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e (patch) | |
tree | 479dc071012c903fa2a75f35c385f73fe9eed786 /lib | |
parent | f5e65e2e508269ff7c18318526ba01f8e7d83951 (diff) | |
download | gitlab-ce-a7afc0634240f5cddb6c6e1bf1f9fcf4374b852e.tar.gz |
Fix SanitizationFilter bugs
Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options`
method so that Rails doesn't escape our markup.
Also add `<span>` to the sanitization whitelist to avoid breaking syntax
highlighting in code blocks.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/markdown.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb index 65dce9291e6..11da4be4022 100644 --- a/lib/gitlab/markdown.rb +++ b/lib/gitlab/markdown.rb @@ -89,6 +89,7 @@ module Gitlab whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST whitelist[:attributes][:all].push('class', 'id') + whitelist[:elements].push('span') # Remove the rel attribute that the sanitize gem adds, and remove the # href attribute if it contains inline javascript @@ -123,7 +124,7 @@ module Gitlab text = parse_tasks(text) end - text + text.html_safe end private |