Don't allow style attributes in inline HTML
This commit is contained in:
parent
52bf95ae38
commit
cc29ce4917
|
@ -1,6 +1,7 @@
|
|||
Please view this file on the master branch, on stable branches it's out of date.
|
||||
|
||||
v 7.10.0 (unreleased)
|
||||
- Allow HTML tags in Markdown input
|
||||
|
||||
v 7.9.0 (unreleased)
|
||||
- Add HipChat integration documentation (Stan Hu)
|
||||
|
|
|
@ -88,7 +88,7 @@ module Gitlab
|
|||
]
|
||||
|
||||
whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
|
||||
whitelist[:attributes][:all].push('class', 'id', 'style')
|
||||
whitelist[:attributes][:all].push('class', 'id')
|
||||
|
||||
# Remove the rel attribute that the sanitize gem adds, and remove the
|
||||
# href attribute if it contains inline javascript
|
||||
|
|
Loading…
Reference in New Issue