kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Merge branch 'rs-issue-36104' into 'security-9-5'

Browse source 
[9.5] Disallow the `name` attribute on all user-provided markup

See merge request gitlab/gitlabhq!2166
This commit is contained in:
Douwe Maan 2017-08-30 17:34:34 +00:00 committed by Robert Speicher
parent 8629d5822a
commit 9b09856e7b
8 changed files with 23 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/views/projects/blob/viewers/_route_map.html.haml
View file

@ -6,4 +6,4 @@
This Route Map is invalid:
= viewer.validation_message
= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map')
= link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment')

2
app/views/projects/blob/viewers/_route_map_loading.html.haml
View file

@ -1,4 +1,4 @@
= icon('spinner spin fw')
Validating Route Map…
= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map')
= link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment')

4
changelogs/unreleased/rs-issue-36104.yml Normal file
View file

@ -0,0 +1,4 @@
---
title: Disallow the `name` attribute on all user-provided markup
merge_request:
author:

3
doc/ci/environments.md
View file

@ -446,8 +446,7 @@ and/or `production`) you can see this information in the merge request itself.
![Environment URLs in merge request](img/environments_link_url_mr.png)
### <a name="route-map"></a>Go directly from source files to public pages on the environment
### Go directly from source files to public pages on the environment
> Introduced in GitLab 8.17.

3
doc/install/database_mysql.md
View file

@ -75,7 +75,7 @@ log_bin_trust_function_creators=1
### MySQL utf8mb4 support
After installation or upgrade, remember to [convert any new tables](#convert) to `utf8mb4`/`utf8mb4_general_ci`.
After installation or upgrade, remember to [convert any new tables](#tables-and-data-conversion-to-utf8mb4) to `utf8mb4`/`utf8mb4_general_ci`.
---
@ -230,7 +230,6 @@ We need to check, enable and probably convert your existing GitLab DB tables to
> Now, ensure that [innodb_file_format](https://dev.mysql.com/doc/refman/5.6/en/tablespace-enabling.html) and [innodb_large_prefix](http://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_large_prefix) are **persisted** in your `my.cnf` file.
#### Tables and data conversion to utf8mb4
<a name="convert"></a>
Now that you have a persistent MySQL setup, you can safely upgrade tables after setup or upgrade time:

3
lib/banzai/filter/sanitization_filter.rb
View file

@ -45,6 +45,9 @@ module Banzai
whitelist[:elements].push('abbr')
whitelist[:attributes]['abbr'] = %w(title)
# Disallow `name` attribute globally
whitelist[:attributes][:all].delete('name')
# Allow any protocol in `a` elements...
whitelist[:protocols].delete('a')

2
spec/features/copy_as_gfm_spec.rb
View file

@ -288,8 +288,6 @@ describe 'Copy as GFM', js: true do
'SanitizationFilter',
<<-GFM.strip_heredoc
<a name="named-anchor"></a>
<sub>sub</sub>
<dl>

12
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file

@ -101,6 +101,18 @@ describe Banzai::Filter::SanitizationFilter do
expect(filter(act).to_html).to eq exp
end
it 'disallows the `name` attribute globally' do
html = <<~HTML
<img name="getElementById" src="">
<span name="foo" class="bar">Hi</span>
HTML
doc = filter(html)
expect(doc.at_css('img')).not_to have_attribute('name')
expect(doc.at_css('span')).not_to have_attribute('name')
end
it 'allows `summary` elements' do
exp = act = '<summary>summary line</summary>'
expect(filter(act).to_html).to eq exp