From 99e816bc80b3571bce40cca525d35724ee7ab968 Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Sat, 30 Jun 2018 13:35:03 +0200 Subject: [PATCH 1/3] update html-pipeline 2.7.1 -> 2.8 --- Gemfile | 2 +- Gemfile.lock | 4 ++-- Gemfile.rails5.lock | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index 82559fa731c..993c3c4b3e7 100644 --- a/Gemfile +++ b/Gemfile @@ -132,7 +132,7 @@ gem 'unf', '~> 0.1.4' gem 'seed-fu', '~> 2.3.7' # Markdown and HTML processing -gem 'html-pipeline', '~> 2.7.1' +gem 'html-pipeline', '~> 2.8' gem 'deckar01-task_list', '2.0.0' gem 'gitlab-markup', '~> 1.6.4' gem 'redcarpet', '~> 3.4' diff --git a/Gemfile.lock b/Gemfile.lock index 79e3888fa64..637846e0330 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -394,7 +394,7 @@ GEM hipchat (1.5.2) httparty mimemagic - html-pipeline (2.7.1) + html-pipeline (2.8.3) activesupport (>= 2) nokogiri (>= 1.4) html2text (0.2.0) @@ -1061,7 +1061,7 @@ DEPENDENCIES hashie-forbidden_attributes health_check (~> 2.6.0) hipchat (~> 1.5.0) - html-pipeline (~> 2.7.1) + html-pipeline (~> 2.8) html2text httparty (~> 0.13.3) icalendar diff --git a/Gemfile.rails5.lock b/Gemfile.rails5.lock index 3159942b4c5..75d9db5f29a 100644 --- a/Gemfile.rails5.lock +++ b/Gemfile.rails5.lock @@ -397,7 +397,7 @@ GEM hipchat (1.5.2) httparty mimemagic - html-pipeline (2.7.1) + html-pipeline (2.8.3) activesupport (>= 2) nokogiri (>= 1.4) html2text (0.2.0) @@ -1071,7 +1071,7 @@ DEPENDENCIES hashie-forbidden_attributes health_check (~> 2.6.0) hipchat (~> 1.5.0) - html-pipeline (~> 2.7.1) + html-pipeline (~> 2.8) html2text httparty (~> 0.13.3) icalendar From 89bffe083d35a39e67d03ebd9a8e0c7bf0ca7bde Mon Sep 17 00:00:00 2001 From: Pirate Praveen Date: Sat, 30 Jun 2018 13:56:13 +0200 Subject: [PATCH 2/3] dup whitelist before modification Fixes ActionView::Template::Error (can't modify frozen Hash) #48415 --- lib/banzai/filter/sanitization_filter.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index afc2ca4e362..4110163d3bd 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -8,7 +8,7 @@ module Banzai TABLE_ALIGNMENT_PATTERN = /text-align: (?center|left|right)/ def whitelist - whitelist = super + whitelist = super.dup customize_whitelist(whitelist) From d699362a0931427354a40246b72747837ad85fcb Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Tue, 3 Jul 2018 16:50:48 -0500 Subject: [PATCH 3/3] Use strong_memoize to customize the SanitizationFilter whitelist I never liked the hacky `customized?` method anyway, so this is cleaner. --- lib/banzai/filter/sanitization_filter.rb | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 4110163d3bd..8275bb9e149 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -4,27 +4,20 @@ module Banzai # # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter + include Gitlab::Utils::StrongMemoize + UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze TABLE_ALIGNMENT_PATTERN = /text-align: (?center|left|right)/ def whitelist - whitelist = super.dup - - customize_whitelist(whitelist) - - whitelist + strong_memoize(:whitelist) do + customize_whitelist(super.dup) + end end private - def customized?(transformers) - transformers.last.source_location[0] == __FILE__ - end - def customize_whitelist(whitelist) - # Only push these customizations once - return if customized?(whitelist[:transformers]) - # Allow table alignment; we whitelist specific text-align values in a # transformer below whitelist[:attributes]['th'] = %w(style)