6 files changed, 71 insertions, 38 deletions

diff --git a/lib/banzai/filter/abstract_reference_filter.rb b/lib/banzai/filter/abstract_reference_filter.rb
index ef4578aabd6..a0f7e4e5ad5 100644
--- a/lib/banzai/filter/abstract_reference_filter.rb
+++ b/lib/banzai/filter/abstract_reference_filter.rb
@@ -95,7 +95,7 @@ module Banzai
       end
 
       def call
-        return doc if project.nil?
+        return doc unless project || group
 
         ref_pattern = object_class.reference_pattern
         link_pattern = object_class.link_reference_pattern
@@ -288,10 +288,14 @@ module Banzai
       end
 
       def current_project_path
+        return unless project
+
         @current_project_path ||= project.full_path
       end
 
       def current_project_namespace_path
+        return unless project
+
         @current_project_namespace_path ||= project.namespace.full_path
       end
 
diff --git a/lib/banzai/filter/markdown_filter.rb b/lib/banzai/filter/markdown_filter.rb
index ee73fa91589..9cac303e645 100644
--- a/lib/banzai/filter/markdown_filter.rb
+++ b/lib/banzai/filter/markdown_filter.rb
@@ -1,6 +1,18 @@
 module Banzai
   module Filter
     class MarkdownFilter < HTML::Pipeline::TextFilter
+      # https://github.com/vmg/redcarpet#and-its-like-really-simple-to-use
+      REDCARPET_OPTIONS = {
+        fenced_code_blocks:  true,
+        footnotes:           true,
+        lax_spacing:         true,
+        no_intra_emphasis:   true,
+        space_after_headers: true,
+        strikethrough:       true,
+        superscript:         true,
+        tables:              true
+      }.freeze
+
       def initialize(text, context = nil, result = nil)
         super text, context, result
         @text = @text.delete "\r"
@@ -13,27 +25,11 @@ module Banzai
       end
 
       def self.renderer
-        @renderer ||= begin
+        Thread.current[:banzai_markdown_renderer] ||= begin
           renderer = Banzai::Renderer::HTML.new
-          Redcarpet::Markdown.new(renderer, redcarpet_options)
+          Redcarpet::Markdown.new(renderer, REDCARPET_OPTIONS)
         end
       end
-
-      def self.redcarpet_options
-        # https://github.com/vmg/redcarpet#and-its-like-really-simple-to-use
-        @redcarpet_options ||= {
-          fenced_code_blocks:  true,
-          footnotes:           true,
-          lax_spacing:         true,
-          no_intra_emphasis:   true,
-          space_after_headers: true,
-          strikethrough:       true,
-          superscript:         true,
-          tables:              true
-        }.freeze
-      end
-
-      private_class_method :redcarpet_options
     end
   end
 end
diff --git a/lib/banzai/filter/reference_filter.rb b/lib/banzai/filter/reference_filter.rb
index a6f8650ed3d..c6ae28adf87 100644
--- a/lib/banzai/filter/reference_filter.rb
+++ b/lib/banzai/filter/reference_filter.rb
@@ -55,6 +55,10 @@ module Banzai
         context[:project]
       end
 
+      def group
+        context[:group]
+      end
+
       def skip_project_check?
         context[:skip_project_check]
       end
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 9923ec4e870..6786b9d07b6 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -45,8 +45,9 @@ module Banzai
         whitelist[:elements].push('abbr')
         whitelist[:attributes]['abbr'] = %w(title)
 
-        # Disallow `name` attribute globally
+        # Disallow `name` attribute globally, allow on `a`
         whitelist[:attributes][:all].delete('name')
+        whitelist[:attributes]['a'].push('name')
 
         # Allow any protocol in `a` elements...
         whitelist[:protocols].delete('a')
@@ -72,10 +73,21 @@ module Banzai
             return unless node.has_attribute?('href')
 
             begin
+              node['href'] = node['href'].strip
               uri = Addressable::URI.parse(node['href'])
-              uri.scheme = uri.scheme.strip.downcase if uri.scheme
 
-              node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
+              return unless uri.scheme
+
+              # Remove all invalid scheme characters before checking against the
+              # list of unsafe protocols.
+              #
+              # See https://tools.ietf.org/html/rfc3986#section-3.1
+              scheme = uri.scheme
+                .strip
+                .downcase
+                .gsub(/[^A-Za-z0-9\+\.\-]+/, '')
+
+              node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme)
             rescue Addressable::URI::InvalidURIError
               node.remove_attribute('href')
             end
diff --git a/lib/banzai/filter/user_reference_filter.rb b/lib/banzai/filter/user_reference_filter.rb
index f3356d6c51e..afb6e25963c 100644
--- a/lib/banzai/filter/user_reference_filter.rb
+++ b/lib/banzai/filter/user_reference_filter.rb
@@ -24,7 +24,7 @@ module Banzai
       end
 
       def call
-        return doc if project.nil? && !skip_project_check?
+        return doc if project.nil? && group.nil? && !skip_project_check?
 
         ref_pattern = User.reference_pattern
         ref_pattern_start = /\A#{ref_pattern}\z/
@@ -101,19 +101,12 @@ module Banzai
       end
 
       def link_to_all(link_content: nil)
-        project = context[:project]
         author = context[:author]
 
-        if author && !project.team.member?(author)
+        if author && !team_member?(author)
           link_content
         else
-          url = urls.project_url(project,
-                                           only_path: context[:only_path])
-
-          data = data_attribute(project: project.id, author: author.try(:id))
-          content = link_content || User.reference_prefix + 'all'
-
-          link_tag(url, data, content, 'All Project and Group Members')
+          parent_url(link_content, author)
         end
       end
 
@@ -144,6 +137,35 @@ module Banzai
       def link_tag(url, data, link_content, title)
         %(<a href="#{url}" #{data} class="#{link_class}" title="#{escape_once(title)}">#{link_content}</a>)
       end
+
+      def parent
+        context[:project] || context[:group]
+      end
+
+      def parent_group?
+        parent.is_a?(Group)
+      end
+
+      def team_member?(user)
+        if parent_group?
+          parent.member?(user)
+        else
+          parent.team.member?(user)
+        end
+      end
+
+      def parent_url(link_content, author)
+        if parent_group?
+          url = urls.group_url(parent, only_path: context[:only_path])
+          data = data_attribute(group: group.id, author: author.try(:id))
+        else
+          url = urls.project_url(parent, only_path: context[:only_path])
+          data = data_attribute(project: project.id, author: author.try(:id))
+        end
+
+        content = link_content || User.reference_prefix + 'all'
+        link_tag(url, data, content, 'All Project and Group Members')
+      end
     end
   end
 end
diff --git a/lib/banzai/renderer.rb b/lib/banzai/renderer.rb
index ceca9296851..5f91884a878 100644
--- a/lib/banzai/renderer.rb
+++ b/lib/banzai/renderer.rb
@@ -40,7 +40,7 @@ module Banzai
         return cacheless_render_field(object, field)
       end
 
-      object.refresh_markdown_cache!(do_update: update_object?(object)) unless object.cached_html_up_to_date?(field)
+      object.refresh_markdown_cache! unless object.cached_html_up_to_date?(field)
 
       object.cached_html_for(field)
     end
@@ -162,10 +162,5 @@ module Banzai
       return unless cache_key
       Rails.cache.__send__(:expanded_key, full_cache_key(cache_key, pipeline_name)) # rubocop:disable GitlabSecurity/PublicSend
     end
-
-    # GitLab EE needs to disable updates on GET requests in Geo
-    def self.update_object?(object)
-      true
-    end
   end
 end