kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Use strong_memoize to customize the SanitizationFilter whitelist

Browse source 
I never liked the hacky `customized?` method anyway, so this is cleaner.
This commit is contained in:
Robert Speicher 2018-07-03 16:50:48 -05:00
parent 89bffe083d
commit d699362a09
No known key found for this signature in database
GPG key ID: 1D812769A7706642
1 changed files with 5 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
lib/banzai/filter/sanitization_filter.rb
View file

@ -4,27 +4,20 @@ module Banzai
#
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
include Gitlab::Utils::StrongMemoize
UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/
def whitelist
whitelist = super.dup
customize_whitelist(whitelist)
whitelist
strong_memoize(:whitelist) do
customize_whitelist(super.dup)
end
end
private
def customized?(transformers)
transformers.last.source_location[0] == __FILE__
end
def customize_whitelist(whitelist)
# Only push these customizations once
return if customized?(whitelist[:transformers])
# Allow table alignment; we whitelist specific text-align values in a
# transformer below
whitelist[:attributes]['th'] = %w(style)