Add a `pipeline` context option for SanitizationFilter
When this option is `:description`, we use a more restrictive whitelist. This is used for Project and Group description fields.
This commit is contained in:
parent
1a52f19c45
commit
023dd2907b
|
@ -11,7 +11,7 @@
|
|||
@#{@group.path}
|
||||
- if @group.description.present?
|
||||
.description
|
||||
= markdown(@group.description)
|
||||
= markdown(@group.description, pipeline: :description)
|
||||
%hr
|
||||
|
||||
= render 'shared/show_aside'
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
.project-home-row.project-home-row-top
|
||||
.project-home-desc
|
||||
- if @project.description.present?
|
||||
= markdown(@project.description)
|
||||
= markdown(@project.description, pipeline: :description)
|
||||
- if can?(current_user, :admin_project, @project)
|
||||
–
|
||||
= link_to 'Edit', edit_namespace_project_path
|
||||
|
|
|
@ -57,6 +57,9 @@ module Gitlab
|
|||
pipeline = HTML::Pipeline.new(filters)
|
||||
|
||||
context = {
|
||||
# SanitizationFilter
|
||||
pipeline: options[:pipeline],
|
||||
|
||||
# EmojiFilter
|
||||
asset_root: Gitlab.config.gitlab.url,
|
||||
asset_host: Gitlab::Application.config.asset_host,
|
||||
|
|
|
@ -8,10 +8,33 @@ module Gitlab
|
|||
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
|
||||
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
|
||||
def whitelist
|
||||
# Descriptions are more heavily sanitized, allowing only a few elements.
|
||||
# See http://git.io/vkuAN
|
||||
if pipeline == :description
|
||||
whitelist = LIMITED
|
||||
else
|
||||
whitelist = super
|
||||
end
|
||||
|
||||
customize_whitelist(whitelist)
|
||||
|
||||
whitelist
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def pipeline
|
||||
context[:pipeline] || :default
|
||||
end
|
||||
|
||||
def customized?(transformers)
|
||||
transformers.last.source_location[0] == __FILE__
|
||||
end
|
||||
|
||||
def customize_whitelist(whitelist)
|
||||
# Only push these customizations once
|
||||
unless customized?(whitelist[:transformers])
|
||||
return if customized?(whitelist[:transformers])
|
||||
|
||||
# Allow code highlighting
|
||||
whitelist[:attributes]['pre'] = %w(class)
|
||||
whitelist[:attributes]['span'] = %w(class)
|
||||
|
@ -28,13 +51,10 @@ module Gitlab
|
|||
|
||||
# Remove `class` attribute from non-highlight spans
|
||||
whitelist[:transformers].push(clean_spans)
|
||||
end
|
||||
|
||||
whitelist
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def remove_rel
|
||||
lambda do |env|
|
||||
if env[:node_name] == 'a'
|
||||
|
@ -53,10 +73,6 @@ module Gitlab
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
def customized?(transformers)
|
||||
transformers.last.source_location[0] == __FILE__
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -42,6 +42,13 @@ module Gitlab::Markdown
|
|||
end
|
||||
|
||||
describe 'custom whitelist' do
|
||||
it 'customizes the whitelist only once' do
|
||||
instance = described_class.new('Foo')
|
||||
3.times { instance.whitelist }
|
||||
|
||||
expect(instance.whitelist[:transformers].size).to eq 4
|
||||
end
|
||||
|
||||
it 'allows syntax highlighting' do
|
||||
exp = act = %q{<pre class="code highlight white c"><code><span class="k">def</span></code></pre>}
|
||||
expect(filter(act).to_html).to eq exp
|
||||
|
@ -87,5 +94,12 @@ module Gitlab::Markdown
|
|||
expect(doc.at_css('a')['href']).to be_nil
|
||||
end
|
||||
end
|
||||
|
||||
context 'when pipeline is :description' do
|
||||
it 'uses a stricter whitelist' do
|
||||
doc = filter('<h1>My Project</h1>', pipeline: :description)
|
||||
expect(doc.to_html.strip).to eq 'My Project'
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue