Merge branch 'security-fj-bumping-sanitize-gem' into 'master'

[master] Update sanitize gem to 4.6.5 to fix HTML injection vulnerability See merge request gitlab/gitlabhq!2399
author: Alessio Caiazza <acaiazza@gitlab.com> 2018-06-25 16:13:53 +0000
committer: Alessio Caiazza <acaiazza@gitlab.com> 2018-06-25 16:13:53 +0000
commit: 70c02bf3bce18d39a4fae85bb927334391cd2a5e (patch)
tree: 0b0f3426976856f18fb5a9dc0c371b2447178cc8 /lib
parent: 4605d27d341d7840cba3453f2b2f23fb992c44b3 (diff)
parent: 039b0c0dbd956e458000fb4f3f7cf0a638098912 (diff)
download: gitlab-ce-70c02bf3bce18d39a4fae85bb927334391cd2a5e.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 6786b9d07b6..afc2ca4e362 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -25,10 +25,11 @@ module Banzai
         # Only push these customizations once
         return if customized?(whitelist[:transformers])
 
-        # Allow table alignment; we whitelist specific style properties in a
+        # Allow table alignment; we whitelist specific text-align values in a
         # transformer below
         whitelist[:attributes]['th'] = %w(style)
         whitelist[:attributes]['td'] = %w(style)
+        whitelist[:css] = { properties: ['text-align'] }
 
         # Allow span elements
         whitelist[:elements].push('span')
author	Alessio Caiazza <acaiazza@gitlab.com>	2018-06-25 16:13:53 +0000
committer	Alessio Caiazza <acaiazza@gitlab.com>	2018-06-25 16:13:53 +0000
commit	70c02bf3bce18d39a4fae85bb927334391cd2a5e (patch)
tree	0b0f3426976856f18fb5a9dc0c371b2447178cc8 /lib
parent	4605d27d341d7840cba3453f2b2f23fb992c44b3 (diff)
parent	039b0c0dbd956e458000fb4f3f7cf0a638098912 (diff)
download	gitlab-ce-70c02bf3bce18d39a4fae85bb927334391cd2a5e.tar.gz