Commit 03b31089 authored by Douwe Maan's avatar Douwe Maan

Merge branch '21605-allow-html5-details' into 'master'

SanitizationFilter allows html5 details and summary (Issue #21605)

Closes #21605

See merge request !6568
parents 79b8f02b 9a672c4f
...@@ -105,7 +105,7 @@ gem 'seed-fu', '~> 2.3.5' ...@@ -105,7 +105,7 @@ gem 'seed-fu', '~> 2.3.5'
gem 'html-pipeline', '~> 1.11.0' gem 'html-pipeline', '~> 1.11.0'
gem 'deckar01-task_list', '1.0.6', require: 'task_list/railtie' gem 'deckar01-task_list', '1.0.6', require: 'task_list/railtie'
gem 'gitlab-markup', '~> 1.5.1' gem 'gitlab-markup', '~> 1.5.1'
gem 'redcarpet', '~> 3.3.3' gem 'redcarpet', '~> 3.4'
gem 'RedCloth', '~> 4.3.2' gem 'RedCloth', '~> 4.3.2'
gem 'rdoc', '~> 4.2' gem 'rdoc', '~> 4.2'
gem 'org-ruby', '~> 0.9.12' gem 'org-ruby', '~> 0.9.12'
......
...@@ -583,7 +583,7 @@ GEM ...@@ -583,7 +583,7 @@ GEM
recaptcha (3.0.0) recaptcha (3.0.0)
json json
recursive-open-struct (1.0.0) recursive-open-struct (1.0.0)
redcarpet (3.3.3) redcarpet (3.4.0)
redis (3.2.2) redis (3.2.2)
redis-actionpack (5.0.1) redis-actionpack (5.0.1)
actionpack (>= 4.0, < 6) actionpack (>= 4.0, < 6)
...@@ -955,7 +955,7 @@ DEPENDENCIES ...@@ -955,7 +955,7 @@ DEPENDENCIES
rblineprof (~> 0.3.6) rblineprof (~> 0.3.6)
rdoc (~> 4.2) rdoc (~> 4.2)
recaptcha (~> 3.0) recaptcha (~> 3.0)
redcarpet (~> 3.3.3) redcarpet (~> 3.4)
redis (~> 3.2) redis (~> 3.2)
redis-namespace (~> 1.5.2) redis-namespace (~> 1.5.2)
redis-rails (~> 5.0.1) redis-rails (~> 5.0.1)
......
...@@ -110,7 +110,7 @@ require('./lib/utils/common_utils'); ...@@ -110,7 +110,7 @@ require('./lib/utils/common_utils');
return `<dl>\n${lines.join('\n')}\n</dl>`; return `<dl>\n${lines.join('\n')}\n</dl>`;
}, },
'sub, dt, dd, kbd, q, samp, var, ruby, rt, rp, abbr'(el, text) { 'sub, dt, dd, kbd, q, samp, var, ruby, rt, rp, abbr, summary, details'(el, text) {
const tag = el.nodeName.toLowerCase(); const tag = el.nodeName.toLowerCase();
return `<${tag}>${text}</${tag}>`; return `<${tag}>${text}</${tag}>`;
}, },
......
...@@ -86,6 +86,16 @@ ...@@ -86,6 +86,16 @@
position: fixed; position: fixed;
} }
/*
* Fix <summary> elements on firefox
* See https://github.com/necolas/normalize.css/issues/640
* and https://github.com/twbs/bootstrap/issues/21060
*
*/
summary {
display: list-item;
}
@import "bootstrap/responsive-utilities"; @import "bootstrap/responsive-utilities";
// Labels // Labels
......
---
title: SanitizationFilter allows html5 details and summary tags
merge_request: 6568
author:
...@@ -576,7 +576,7 @@ Quote break. ...@@ -576,7 +576,7 @@ Quote break.
You can also use raw HTML in your Markdown, and it'll mostly work pretty well. You can also use raw HTML in your Markdown, and it'll mostly work pretty well.
See the documentation for HTML::Pipeline's [SanitizationFilter](http://www.rubydoc.info/gems/html-pipeline/1.11.0/HTML/Pipeline/SanitizationFilter#WHITELIST-constant) class for the list of allowed HTML tags and attributes. In addition to the default `SanitizationFilter` whitelist, GitLab allows `span` elements. See the documentation for HTML::Pipeline's [SanitizationFilter](http://www.rubydoc.info/gems/html-pipeline/1.11.0/HTML/Pipeline/SanitizationFilter#WHITELIST-constant) class for the list of allowed HTML tags and attributes. In addition to the default `SanitizationFilter` whitelist, GitLab allows `span`, `abbr`, `details` and `summary` elements.
```no-highlight ```no-highlight
<dl> <dl>
......
...@@ -35,6 +35,10 @@ module Banzai ...@@ -35,6 +35,10 @@ module Banzai
# Allow span elements # Allow span elements
whitelist[:elements].push('span') whitelist[:elements].push('span')
# Allow html5 details/summary elements
whitelist[:elements].push('details')
whitelist[:elements].push('summary')
# Allow abbr elements with title attribute # Allow abbr elements with title attribute
whitelist[:elements].push('abbr') whitelist[:elements].push('abbr')
whitelist[:attributes]['abbr'] = %w(title) whitelist[:attributes]['abbr'] = %w(title)
......
...@@ -275,6 +275,10 @@ describe 'Copy as GFM', feature: true, js: true do ...@@ -275,6 +275,10 @@ describe 'Copy as GFM', feature: true, js: true do
<rp>rp</rp> <rp>rp</rp>
<abbr>abbr</abbr> <abbr>abbr</abbr>
<summary>summary</summary>
<details>details</details>
GFM GFM
) )
......
...@@ -115,6 +115,14 @@ describe 'GitLab Markdown', feature: true do ...@@ -115,6 +115,14 @@ describe 'GitLab Markdown', feature: true do
expect(doc).to have_selector('span:contains("span tag")') expect(doc).to have_selector('span:contains("span tag")')
end end
it 'permits details elements' do
expect(doc).to have_selector('details:contains("Hiding the details")')
end
it 'permits summary elements' do
expect(doc).to have_selector('details summary:contains("collapsible")')
end
it 'permits style attribute in th elements' do it 'permits style attribute in th elements' do
aggregate_failures do aggregate_failures do
expect(doc.at_css('th:contains("Header")')['style']).to eq 'text-align: center' expect(doc.at_css('th:contains("Header")')['style']).to eq 'text-align: center'
......
...@@ -79,6 +79,11 @@ As permissive as it is, we've allowed even more stuff: ...@@ -79,6 +79,11 @@ As permissive as it is, we've allowed even more stuff:
<span>span tag</span> <span>span tag</span>
<details>
<summary>Summary lines are collapsible:</summary>
Hiding the details until expanded.
</details>
<a href="#" rel="bookmark">This is a link with a defined rel attribute, which should be removed</a> <a href="#" rel="bookmark">This is a link with a defined rel attribute, which should be removed</a>
<a href="javascript:alert('Hi')">This is a link trying to be sneaky. It gets its link removed entirely.</a> <a href="javascript:alert('Hi')">This is a link trying to be sneaky. It gets its link removed entirely.</a>
......
...@@ -86,6 +86,16 @@ describe Banzai::Filter::SanitizationFilter, lib: true do ...@@ -86,6 +86,16 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
expect(filter(act).to_html).to eq exp expect(filter(act).to_html).to eq exp
end end
it 'allows `summary` elements' do
exp = act = '<summary>summary line</summary>'
expect(filter(act).to_html).to eq exp
end
it 'allows `details` elements' do
exp = act = '<details>long text goes here</details>'
expect(filter(act).to_html).to eq exp
end
it 'removes `rel` attribute from `a` elements' do it 'removes `rel` attribute from `a` elements' do
act = %q{<a href="#" rel="nofollow">Link</a>} act = %q{<a href="#" rel="nofollow">Link</a>}
exp = %q{<a href="#">Link</a>} exp = %q{<a href="#">Link</a>}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment