From c3bda6c3894528fb211c582c5b8da8d6ae125e52 Mon Sep 17 00:00:00 2001
From: Robert Speicher <rspeicher@gmail.com>
Date: Fri, 22 Sep 2017 11:51:09 -0400
Subject: Re-allow `name` attribute on user-provided anchor HTML

---
 changelogs/unreleased/rs-allow-name-on-anchors.yml | 5 +++++
 lib/banzai/filter/sanitization_filter.rb           | 3 ++-
 spec/lib/banzai/filter/sanitization_filter_spec.rb | 4 +++-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/rs-allow-name-on-anchors.yml

diff --git a/changelogs/unreleased/rs-allow-name-on-anchors.yml b/changelogs/unreleased/rs-allow-name-on-anchors.yml
new file mode 100644
index 00000000000..59e95ed8a0e
--- /dev/null
+++ b/changelogs/unreleased/rs-allow-name-on-anchors.yml
@@ -0,0 +1,5 @@
+---
+title: Re-allow `name` attribute on user-provided anchor HTML
+merge_request:
+author:
+type: fixed
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 9923ec4e870..88b17e12576 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -45,8 +45,9 @@ module Banzai
         whitelist[:elements].push('abbr')
         whitelist[:attributes]['abbr'] = %w(title)
 
-        # Disallow `name` attribute globally
+        # Disallow `name` attribute globally, allow on `a`
         whitelist[:attributes][:all].delete('name')
+        whitelist[:attributes]['a'].push('name')
 
         # Allow any protocol in `a` elements...
         whitelist[:protocols].delete('a')
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 01ceb21dfaa..69bd062ebcd 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -101,16 +101,18 @@ describe Banzai::Filter::SanitizationFilter do
       expect(filter(act).to_html).to eq exp
     end
 
-    it 'disallows the `name` attribute globally' do
+    it 'disallows the `name` attribute globally, allows on `a`' do
       html = <<~HTML
         <img name="getElementById" src="">
         <span name="foo" class="bar">Hi</span>
+        <a name="foo" class="bar">Bye</a>
       HTML
 
       doc = filter(html)
 
       expect(doc.at_css('img')).not_to have_attribute('name')
       expect(doc.at_css('span')).not_to have_attribute('name')
+      expect(doc.at_css('a')).to have_attribute('name')
     end
 
     it 'allows `summary` elements' do
-- 
cgit v1.2.1