summaryrefslogtreecommitdiff
path: root/lib/gitlab/sanitizers/svg.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/gitlab/sanitizers/svg.rb')
-rw-r--r--lib/gitlab/sanitizers/svg.rb23
1 files changed, 18 insertions, 5 deletions
diff --git a/lib/gitlab/sanitizers/svg.rb b/lib/gitlab/sanitizers/svg.rb
index 5e95f6c0529..a540c534dee 100644
--- a/lib/gitlab/sanitizers/svg.rb
+++ b/lib/gitlab/sanitizers/svg.rb
@@ -13,12 +13,11 @@ module Gitlab
unless Whitelist::ALLOWED_ELEMENTS.include?(node.name)
node.unlink
else
- node.attributes.each do |attr_name, attr|
- valid_attributes = Whitelist::ALLOWED_ATTRIBUTES[node.name]
+ valid_attributes = Whitelist::ALLOWED_ATTRIBUTES[node.name]
- unless valid_attributes && valid_attributes.include?(attr_name)
- if Whitelist::ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name) &&
- attr_name.start_with?('data-')
+ node.attribute_nodes.each do |attr|
+ unless valid_attributes && valid_attributes.include?(attribute_name_with_namespace(attr))
+ if Whitelist::ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name) && data_attribute?(attr)
# Arbitrary data attributes are allowed. Verify that the attribute
# is a valid data attribute.
attr.unlink unless attr_name =~ DATA_ATTR_PATTERN
@@ -29,6 +28,20 @@ module Gitlab
end
end
end
+
+ def attribute_name_with_namespace(attr)
+ if attr.namespace
+ "#{attr.namespace.prefix}:#{attr.name}"
+ else
+ attr.name
+ end
+ end
+
+ private
+
+ def data_attribute?(attr)
+ attr.name.start_with?('data-')
+ end
end
end
end
View Lorry Controller Status