Commit 52bf95ae authored by Vinnie Okada's avatar Vinnie Okada
Browse files

Change HTML sanitization

Use the `SanitizationFilter` class from the html-pipeline gem for inline
HTML instead of calling the Rails `sanitize` method.
parent feeffc44
......@@ -49,7 +49,7 @@ def markdown(text, options={})
space_after_headers: true,
superscript: true)
end
@markdown.render(sanitize_html(text)).html_safe
@markdown.render(text).html_safe
end
# Return the first line of +text+, up to +max_chars+, after parsing the line
......
......@@ -440,64 +440,7 @@ Note that inline HTML is disabled in the default Gitlab configuration, although
<dd>Does *not* work **very** well. Use HTML <em>tags</em>.</dd>
</dl>
The following tags can be used:
* `<a/>`
* `<abbr/>`
* `<acronym/>`
* `<address/>`
* `<b/>`
* `<big/>`
* `<blockquote/>`
* `<br/>`
* `<cite/>`
* `<code/>`
* `<dd/>`
* `<del/>`
* `<dfn/>`
* `<div/>`
* `<dl/>`
* `<dt/>`
* `<em/>`
* `<h1/>`
* `<h2/>`
* `<h3/>`
* `<h4/>`
* `<h5/>`
* `<h6/>`
* `<hr/>`
* `<i/>`
* `<img/>`
* `<ins/>`
* `<kbd/>`
* `<li/>`
* `<ol/>`
* `<p/>`
* `<pre/>`
* `<samp/>`
* `<small/>`
* `<span/>`
* `<strong/>`
* `<sub/>`
* `<sup/>`
* `<tt/>`
* `<ul/>`
* `<var/>`
You can also use the following HTML attributes in your inline tags:
* `abbr`
* `alt`
* `cite`
* `class`
* `datetime`
* `height`
* `href`
* `name`
* `src`
* `title`
* `width`
* `xml:lang`
See the documentation for HTML::Pipeline's [SanitizationFilter](http://www.rubydoc.info/gems/html-pipeline/HTML/Pipeline/SanitizationFilter#WHITELIST-constant) class for the list of allowed HTML tags and attributes. In addition to the default `SanitizationFilter` whitelist, GitLab allows the `class`, `id`, and `style` attributes.
## Horizontal Rule
......
......@@ -79,15 +79,34 @@ def gfm_with_options(text, options = {}, project = @project, html_options = {})
# Used markdown pipelines in GitLab:
# GitlabEmojiFilter - performs emoji replacement.
# SanitizationFilter - remove unsafe HTML tags and attributes
#
# see https://gitlab.com/gitlab-org/html-pipeline-gitlab for more filters
filters = [
HTML::Pipeline::Gitlab::GitlabEmojiFilter
HTML::Pipeline::Gitlab::GitlabEmojiFilter,
HTML::Pipeline::SanitizationFilter
]
whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
whitelist[:attributes][:all].push('class', 'id', 'style')
# Remove the rel attribute that the sanitize gem adds, and remove the
# href attribute if it contains inline javascript
fix_anchors = lambda do |env|
name, node = env[:node_name], env[:node]
if name == 'a'
node.remove_attribute('rel')
if node['href'] && node['href'].match('javascript:')
node.remove_attribute('href')
end
end
end
whitelist[:transformers].push(fix_anchors)
markdown_context = {
asset_root: Gitlab.config.gitlab.url,
asset_host: Gitlab::Application.config.asset_host
asset_host: Gitlab::Application.config.asset_host,
whitelist: whitelist
}
markdown_pipeline = HTML::Pipeline::Gitlab.new(filters).pipeline
......@@ -97,22 +116,13 @@ def gfm_with_options(text, options = {}, project = @project, html_options = {})
if options[:xhtml]
saveoptions |= Nokogiri::XML::Node::SaveOptions::AS_XHTML
end
text = result[:output].to_html(save_with: saveoptions)
sanitize_html(text)
end
# Remove HTML tags and attributes that are not whitelisted
def sanitize_html(text)
allowed_attributes = ActionView::Base.sanitized_allowed_attributes
allowed_tags = ActionView::Base.sanitized_allowed_tags
text = result[:output].to_html(save_with: saveoptions)
text = sanitize text.html_safe,
attributes: allowed_attributes + %w(id class style),
tags: allowed_tags + %w(table tr td th)
if options[:parse_tasks]
text = parse_tasks(text)
end
text
end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment