diff options
author | Robert Speicher <robert@gitlab.com> | 2017-08-31 15:27:34 +0000 |
---|---|---|
committer | Robert Speicher <robert@gitlab.com> | 2017-08-31 15:27:34 +0000 |
commit | 8649d1fc2fc5d9cafa937667705ffbc0b4089ae4 (patch) | |
tree | 76624543876a59013ec2dbcf9b204d8d64021f34 /spec | |
parent | fc2f48ac073b1626ad12e24cbdaf999a06d0f4b9 (diff) | |
parent | 228cf4f6b53b30e29a8aaab957e84443ccfae959 (diff) | |
download | gitlab-ce-8649d1fc2fc5d9cafa937667705ffbc0b4089ae4.tar.gz |
Merge branch 'rs-issue-36098' into 'security-9-5'
[9.5] Limit `style` attribute on `th` and `td` elements to specific properties
See merge request gitlab/gitlabhq!2155
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index b96cce04699..01ceb21dfaa 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -49,7 +49,7 @@ describe Banzai::Filter::SanitizationFilter do instance = described_class.new('Foo') 3.times { instance.whitelist } - expect(instance.whitelist[:transformers].size).to eq 4 + expect(instance.whitelist[:transformers].size).to eq 5 end it 'sanitizes `class` attribute from all elements' do @@ -63,8 +63,8 @@ describe Banzai::Filter::SanitizationFilter do expect(filter(act).to_html).to eq %q{<span>def</span>} end - it 'allows `style` attribute on table elements' do - html = <<-HTML.strip_heredoc + it 'allows `text-align` property in `style` attribute on table elements' do + html = <<~HTML <table> <tr><th style="text-align: center">Head</th></tr> <tr><td style="text-align: right">Body</th></tr> @@ -77,6 +77,20 @@ describe Banzai::Filter::SanitizationFilter do expect(doc.at_css('td')['style']).to eq 'text-align: right' end + it 'disallows other properties in `style` attribute on table elements' do + html = <<~HTML + <table> + <tr><th style="text-align: foo">Head</th></tr> + <tr><td style="position: fixed; height: 50px; width: 50px; background: red; z-index: 999; font-size: 36px; text-align: center">Body</th></tr> + </table> + HTML + + doc = filter(html) + + expect(doc.at_css('th')['style']).to be_nil + expect(doc.at_css('td')['style']).to eq 'text-align: center' + end + it 'allows `span` elements' do exp = act = %q{<span>Hello</span>} expect(filter(act).to_html).to eq exp |