Commit cc29ce49 authored by Vinnie Okada's avatar Vinnie Okada
Browse files

Don't allow style attributes in inline HTML

parent 52bf95ae
Please view this file on the master branch, on stable branches it's out of date. Please view this file on the master branch, on stable branches it's out of date.
v 7.10.0 (unreleased) v 7.10.0 (unreleased)
- Allow HTML tags in Markdown input
v 7.9.0 (unreleased) v 7.9.0 (unreleased)
- Add HipChat integration documentation (Stan Hu) - Add HipChat integration documentation (Stan Hu)
......
...@@ -88,7 +88,7 @@ def gfm_with_options(text, options = {}, project = @project, html_options = {}) ...@@ -88,7 +88,7 @@ def gfm_with_options(text, options = {}, project = @project, html_options = {})
] ]
whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
whitelist[:attributes][:all].push('class', 'id', 'style') whitelist[:attributes][:all].push('class', 'id')
# Remove the rel attribute that the sanitize gem adds, and remove the # Remove the rel attribute that the sanitize gem adds, and remove the
# href attribute if it contains inline javascript # href attribute if it contains inline javascript
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment