Allow HTML tags in user Markdown input

Allow whitelisted tags to appear in rendered HTML output by disabling Redcarpet's `:filter_html` option.
2014-10-10 14:34:43 -05:00 · 2014-10-10 14:34:43 -05:00 · 6798a6a8e2
parent f7342ce567
commit 6798a6a8e2
3 changed files with 36 additions and 2 deletions
--- a/app/helpers/gitlab_markdown_helper.rb
+++ b/app/helpers/gitlab_markdown_helper.rb
@ -33,7 +33,6 @@ module GitlabMarkdownHelper
      @options = options
      gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self, {
                            # see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
-                            filter_html: true,
                            with_toc_data: true,
                            safe_links_only: true
                          }.merge(options))
@ -48,7 +47,7 @@ module GitlabMarkdownHelper
                      space_after_headers: true,
                      superscript: true)
    end
-    @markdown.render(text).html_safe
+    @markdown.render(sanitize_html(text)).html_safe
  end

  def first_line_in_markdown(text)
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@ -80,6 +80,11 @@ module Gitlab
                                                             markdown_context)
      text = result[:output].to_html(save_with: 0)

+      sanitize_html(text)
+    end
+
+    # Remove HTML tags and attributes that are not whitelisted
+    def sanitize_html(text)
      allowed_attributes = ActionView::Base.sanitized_allowed_attributes
      allowed_tags = ActionView::Base.sanitized_allowed_tags

--- a/spec/helpers/gitlab_markdown_helper_spec.rb
+++ b/spec/helpers/gitlab_markdown_helper_spec.rb
@ -614,6 +614,36 @@ describe GitlabMarkdownHelper do
      expected = ""
      markdown(actual).should match(expected)
    end
+
+    it 'should allow whitelisted HTML tags from the user' do
+      actual = '<dl><dt>Term</dt><dd>Definition</dd></dl>'
+      expect(markdown(actual)).to match(actual)
+    end
+
+    it 'should sanitize tags that are not whitelisted' do
+      actual = '<textarea>no inputs allowed</textarea> <blink>no blinks</blink>'
+      expected = 'no inputs allowed no blinks'
+      expect(markdown(actual)).to match(expected)
+      expect(markdown(actual)).not_to match('<.textarea>')
+      expect(markdown(actual)).not_to match('<.blink>')
+    end
+
+    it 'should allow whitelisted tag attributes from the user' do
+      actual = '<a class="custom">link text</a>'
+      expect(markdown(actual)).to match(actual)
+    end
+
+    it 'should sanitize tag attributes that are not whitelisted' do
+      actual = '<a href="http://example.com/bar.html" foo="bar">link text</a>'
+      expected = '<a href="http://example.com/bar.html">link text</a>'
+      expect(markdown(actual)).to match(expected)
+    end
+
+    it 'should sanitize javascript in attributes' do
+      actual = %q(<a href="javascript:alert('foo')">link text</a>)
+      expected = '<a>link text</a>'
+      expect(markdown(actual)).to match(expected)
+    end
  end

  describe 'markdown for empty repository' do