From 6798a6a8e224471b69018ad5cc4a526654ea5772 Mon Sep 17 00:00:00 2001 From: Vinnie Okada Date: Fri, 10 Oct 2014 14:34:43 -0500 Subject: Allow HTML tags in user Markdown input Allow whitelisted tags to appear in rendered HTML output by disabling Redcarpet's `:filter_html` option. --- spec/helpers/gitlab_markdown_helper_spec.rb | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'spec/helpers/gitlab_markdown_helper_spec.rb') diff --git a/spec/helpers/gitlab_markdown_helper_spec.rb b/spec/helpers/gitlab_markdown_helper_spec.rb index 15033f07432..c75773ad321 100644 --- a/spec/helpers/gitlab_markdown_helper_spec.rb +++ b/spec/helpers/gitlab_markdown_helper_spec.rb @@ -614,6 +614,36 @@ describe GitlabMarkdownHelper do expected = "" markdown(actual).should match(expected) end + + it 'should allow whitelisted HTML tags from the user' do + actual = '
Term
Definition
' + expect(markdown(actual)).to match(actual) + end + + it 'should sanitize tags that are not whitelisted' do + actual = ' no blinks' + expected = 'no inputs allowed no blinks' + expect(markdown(actual)).to match(expected) + expect(markdown(actual)).not_to match('<.textarea>') + expect(markdown(actual)).not_to match('<.blink>') + end + + it 'should allow whitelisted tag attributes from the user' do + actual = 'link text' + expect(markdown(actual)).to match(actual) + end + + it 'should sanitize tag attributes that are not whitelisted' do + actual = 'link text' + expected = 'link text' + expect(markdown(actual)).to match(expected) + end + + it 'should sanitize javascript in attributes' do + actual = %q(link text) + expected = 'link text' + expect(markdown(actual)).to match(expected) + end end describe 'markdown for empty repository' do -- cgit v1.2.1