diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-06-14 10:26:50 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-06-14 10:26:50 +0000 |
| commit | 066020fcd015ca92397b794342a49a46dd02582c (patch) | |
| tree | 8dba90e39740a892a9dd6e5a21584dbf243454ed /lib | |
| parent | 0c0ef7dfb6afb1695b62037fc0fa5aba6ce697d7 (diff) | |
| parent | 03d2bf141cde7bb12f88f25bcb08a612e65044c4 (diff) | |
| download | gitlab-ce-066020fcd015ca92397b794342a49a46dd02582c.tar.gz | |
Merge branch 'fix-markdown-spec' into 'master'
Add whitelisted elements correctly in sanitization
Add whitelisted elements correctly in sanitization
Consider this command:
bundle exec rails r "include GitlabMarkdownHelper
puts markdown('<span>this is a span</span>', pipeline: :description)
puts markdown('<span>this is a span</span>')"
And the same in the opposite order:
bundle exec rails r "include GitlabMarkdownHelper
puts markdown('<span>this is a span</span>')
puts markdown('<span>this is a span</span>', pipeline: :description)"
Before this change, they would both output:
<p><span>this is a span</span></p>
<p>this is a span</p>
That's because `span` is added to the list of whitelisted elements in
the `SanitizationFilter`, but this method tries not to make the same
changes multiple times. Unfortunately,
`HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the
`DescriptionPipeline`, uses the same Ruby objects for all of its hash
values _except_ `:elements`.
That means that whichever of `DescriptionPipeline` and `GfmPipeline` is
called first would have `span` in its whitelisted elements, and the
second wouldn't.
Fix this by adding a special check for modifying `:elements` twice, then
checking `:transformers` as before.
See merge request !4588
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/banzai/pipeline/description_pipeline.rb | 17 |
1 files changed, 5 insertions, 12 deletions
diff --git a/lib/banzai/pipeline/description_pipeline.rb b/lib/banzai/pipeline/description_pipeline.rb index f2395867658..042fb2e6e14 100644 --- a/lib/banzai/pipeline/description_pipeline.rb +++ b/lib/banzai/pipeline/description_pipeline.rb @@ -1,23 +1,16 @@ module Banzai module Pipeline class DescriptionPipeline < FullPipeline + WHITELIST = Banzai::Filter::SanitizationFilter::LIMITED.deep_dup.merge( + elements: Banzai::Filter::SanitizationFilter::LIMITED[:elements] - %w(pre code img ol ul li) + ) + def self.transform_context(context) super(context).merge( # SanitizationFilter - whitelist: whitelist + whitelist: WHITELIST ) end - - private - - def self.whitelist - # Descriptions are more heavily sanitized, allowing only a few elements. - # See http://git.io/vkuAN - whitelist = Banzai::Filter::SanitizationFilter::LIMITED - whitelist[:elements] -= %w(pre code img ol ul li) - - whitelist - end end end end |