diff options
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 4 | ||||
| -rw-r--r-- | Gemfile.rails5.lock | 4 | ||||
| -rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 17 |
4 files changed, 10 insertions, 17 deletions
@@ -132,7 +132,7 @@ gem 'unf', '~> 0.1.4' gem 'seed-fu', '~> 2.3.7' # Markdown and HTML processing -gem 'html-pipeline', '~> 2.7.1' +gem 'html-pipeline', '~> 2.8' gem 'deckar01-task_list', '2.0.0' gem 'gitlab-markup', '~> 1.6.4' gem 'redcarpet', '~> 3.4' diff --git a/Gemfile.lock b/Gemfile.lock index 1cd336c95d0..a4784cc6499 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -394,7 +394,7 @@ GEM hipchat (1.5.2) httparty mimemagic - html-pipeline (2.7.1) + html-pipeline (2.8.3) activesupport (>= 2) nokogiri (>= 1.4) html2text (0.2.0) @@ -1061,7 +1061,7 @@ DEPENDENCIES hashie-forbidden_attributes health_check (~> 2.6.0) hipchat (~> 1.5.0) - html-pipeline (~> 2.7.1) + html-pipeline (~> 2.8) html2text httparty (~> 0.13.3) icalendar diff --git a/Gemfile.rails5.lock b/Gemfile.rails5.lock index 3159942b4c5..75d9db5f29a 100644 --- a/Gemfile.rails5.lock +++ b/Gemfile.rails5.lock @@ -397,7 +397,7 @@ GEM hipchat (1.5.2) httparty mimemagic - html-pipeline (2.7.1) + html-pipeline (2.8.3) activesupport (>= 2) nokogiri (>= 1.4) html2text (0.2.0) @@ -1071,7 +1071,7 @@ DEPENDENCIES hashie-forbidden_attributes health_check (~> 2.6.0) hipchat (~> 1.5.0) - html-pipeline (~> 2.7.1) + html-pipeline (~> 2.8) html2text httparty (~> 0.13.3) icalendar diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index afc2ca4e362..8275bb9e149 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -4,27 +4,20 @@ module Banzai # # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter + include Gitlab::Utils::StrongMemoize + UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/ def whitelist - whitelist = super - - customize_whitelist(whitelist) - - whitelist + strong_memoize(:whitelist) do + customize_whitelist(super.dup) + end end private - def customized?(transformers) - transformers.last.source_location[0] == __FILE__ - end - def customize_whitelist(whitelist) - # Only push these customizations once - return if customized?(whitelist[:transformers]) - # Allow table alignment; we whitelist specific text-align values in a # transformer below whitelist[:attributes]['th'] = %w(style) |