kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Customize the sanitization whitelist only once 

Fixes #1651
This commit is contained in:
Robert Speicher 2015-05-20 20:55:11 -04:00
parent 71b1a2c728
commit 212fe14c65
1 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
lib/gitlab/markdown/sanitization_filter.rb
View File

@ -8,28 +8,33 @@ module Gitlab
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
def whitelist
whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
whitelist = super
# Allow code highlighting
whitelist[:attributes]['pre'] = %w(class)
whitelist[:attributes]['span'] = %w(class)
# Only push these customizations once
unless customized?(whitelist[:transformers])
# Allow code highlighting
whitelist[:attributes]['pre'] = %w(class)
whitelist[:attributes]['span'] = %w(class)
# Allow table alignment
whitelist[:attributes]['th'] = %w(style)
whitelist[:attributes]['td'] = %w(style)
# Allow table alignment
whitelist[:attributes]['th'] = %w(style)
whitelist[:attributes]['td'] = %w(style)
# Allow span elements
whitelist[:elements].push('span')
# Allow span elements
whitelist[:elements].push('span')
# Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel)
# Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel)
# Remove `class` attribute from non-highlight spans
whitelist[:transformers].push(clean_spans)
# Remove `class` attribute from non-highlight spans
whitelist[:transformers].push(clean_spans)
end
whitelist
end
private
def remove_rel
lambda do |env|
if env[:node_name] == 'a'
@ -48,6 +53,10 @@ module Gitlab
end
end
end
def customized?(transformers)
transformers.last.source_location[0] == __FILE__
end
end
end
end