kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Merge branch 'fix/memory-leak-sanitization-filter' into 'master'

Browse source 
Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST

See merge request !6456
This commit is contained in:
Yorick Peterse 2016-09-23 15:42:20 +00:00
commit 640ab3072f
2 changed files with 33 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG
View file

@ -4,6 +4,7 @@ v 8.13.0 (unreleased)
- Speed-up group milestones show page
v 8.12.1 (unreleased)
- Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST
v 8.12.0
- Update the rouge gem to 2.0.6, which adds highlighting support for JSX, Prometheus, and others. !6251

14
lib/banzai/filter/sanitization_filter.rb
View file

@ -7,7 +7,7 @@ module Banzai
UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
def whitelist
whitelist = super.dup
whitelist = super
customize_whitelist(whitelist)
@ -42,20 +42,19 @@ module Banzai
# Allow any protocol in `a` elements...
whitelist[:protocols].delete('a')
whitelist[:transformers] = whitelist[:transformers].dup
# ...but then remove links with unsafe protocols
whitelist[:transformers].push(remove_unsafe_links)
whitelist[:transformers].push(self.class.remove_unsafe_links)
# Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel)
whitelist[:transformers].push(self.class.remove_rel)
# Remove `class` attribute from non-highlight spans
whitelist[:transformers].push(clean_spans)
whitelist[:transformers].push(self.class.clean_spans)
whitelist
end
class << self
def remove_unsafe_links
lambda do |env|
node = env[:node]
@ -89,7 +88,7 @@ module Banzai
return unless node.name == 'span'
return unless node.has_attribute?('class')
unless has_ancestor?(node, 'pre')
unless node.ancestors.any? { |n| n.name.casecmp('pre').zero? }
node.remove_attribute('class')
end
@ -99,3 +98,4 @@ module Banzai
end
end
end
end