Allow HTML tags in user Markdown input
Allow whitelisted tags to appear in rendered HTML output by disabling Redcarpet's `:filter_html` option.
This commit is contained in:
parent
f7342ce567
commit
6798a6a8e2
|
@ -33,7 +33,6 @@ module GitlabMarkdownHelper
|
|||
@options = options
|
||||
gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self, {
|
||||
# see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
|
||||
filter_html: true,
|
||||
with_toc_data: true,
|
||||
safe_links_only: true
|
||||
}.merge(options))
|
||||
|
@ -48,7 +47,7 @@ module GitlabMarkdownHelper
|
|||
space_after_headers: true,
|
||||
superscript: true)
|
||||
end
|
||||
@markdown.render(text).html_safe
|
||||
@markdown.render(sanitize_html(text)).html_safe
|
||||
end
|
||||
|
||||
def first_line_in_markdown(text)
|
||||
|
|
|
@ -80,6 +80,11 @@ module Gitlab
|
|||
markdown_context)
|
||||
text = result[:output].to_html(save_with: 0)
|
||||
|
||||
sanitize_html(text)
|
||||
end
|
||||
|
||||
# Remove HTML tags and attributes that are not whitelisted
|
||||
def sanitize_html(text)
|
||||
allowed_attributes = ActionView::Base.sanitized_allowed_attributes
|
||||
allowed_tags = ActionView::Base.sanitized_allowed_tags
|
||||
|
||||
|
|
|
@ -614,6 +614,36 @@ describe GitlabMarkdownHelper do
|
|||
expected = ""
|
||||
markdown(actual).should match(expected)
|
||||
end
|
||||
|
||||
it 'should allow whitelisted HTML tags from the user' do
|
||||
actual = '<dl><dt>Term</dt><dd>Definition</dd></dl>'
|
||||
expect(markdown(actual)).to match(actual)
|
||||
end
|
||||
|
||||
it 'should sanitize tags that are not whitelisted' do
|
||||
actual = '<textarea>no inputs allowed</textarea> <blink>no blinks</blink>'
|
||||
expected = 'no inputs allowed no blinks'
|
||||
expect(markdown(actual)).to match(expected)
|
||||
expect(markdown(actual)).not_to match('<.textarea>')
|
||||
expect(markdown(actual)).not_to match('<.blink>')
|
||||
end
|
||||
|
||||
it 'should allow whitelisted tag attributes from the user' do
|
||||
actual = '<a class="custom">link text</a>'
|
||||
expect(markdown(actual)).to match(actual)
|
||||
end
|
||||
|
||||
it 'should sanitize tag attributes that are not whitelisted' do
|
||||
actual = '<a href="http://example.com/bar.html" foo="bar">link text</a>'
|
||||
expected = '<a href="http://example.com/bar.html">link text</a>'
|
||||
expect(markdown(actual)).to match(expected)
|
||||
end
|
||||
|
||||
it 'should sanitize javascript in attributes' do
|
||||
actual = %q(<a href="javascript:alert('foo')">link text</a>)
|
||||
expected = '<a>link text</a>'
|
||||
expect(markdown(actual)).to match(expected)
|
||||
end
|
||||
end
|
||||
|
||||
describe 'markdown for empty repository' do
|
||||
|
|
Loading…
Reference in New Issue