Commit a7afc063 authored by Vinnie Okada's avatar Vinnie Okada

Fix SanitizationFilter bugs

Return a `SafeBuffer` instead of a `String` from the `#gfm_with_options`
method so that Rails doesn't escape our markup.

Also add `<span>` to the sanitization whitelist to avoid breaking syntax
highlighting in code blocks.
parent f5e65e2e
...@@ -89,6 +89,7 @@ module Gitlab ...@@ -89,6 +89,7 @@ module Gitlab
whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
whitelist[:attributes][:all].push('class', 'id') whitelist[:attributes][:all].push('class', 'id')
whitelist[:elements].push('span')
# Remove the rel attribute that the sanitize gem adds, and remove the # Remove the rel attribute that the sanitize gem adds, and remove the
# href attribute if it contains inline javascript # href attribute if it contains inline javascript
...@@ -123,7 +124,7 @@ module Gitlab ...@@ -123,7 +124,7 @@ module Gitlab
text = parse_tasks(text) text = parse_tasks(text)
end end
text text.html_safe
end end
private private
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment