Commit 6798a6a8 authored by Vinnie Okada's avatar Vinnie Okada

Allow HTML tags in user Markdown input

Allow whitelisted tags to appear in rendered HTML output by disabling
Redcarpet's `:filter_html` option.
parent f7342ce5
......@@ -33,7 +33,6 @@ module GitlabMarkdownHelper
@options = options
gitlab_renderer = Redcarpet::Render::GitlabHTML.new(self, {
# see https://github.com/vmg/redcarpet#darling-i-packed-you-a-couple-renderers-for-lunch-
filter_html: true,
with_toc_data: true,
safe_links_only: true
}.merge(options))
......@@ -48,7 +47,7 @@ module GitlabMarkdownHelper
space_after_headers: true,
superscript: true)
end
@markdown.render(text).html_safe
@markdown.render(sanitize_html(text)).html_safe
end
def first_line_in_markdown(text)
......
......@@ -80,6 +80,11 @@ module Gitlab
markdown_context)
text = result[:output].to_html(save_with: 0)
sanitize_html(text)
end
# Remove HTML tags and attributes that are not whitelisted
def sanitize_html(text)
allowed_attributes = ActionView::Base.sanitized_allowed_attributes
allowed_tags = ActionView::Base.sanitized_allowed_tags
......
......@@ -614,6 +614,36 @@ describe GitlabMarkdownHelper do
expected = ""
markdown(actual).should match(expected)
end
it 'should allow whitelisted HTML tags from the user' do
actual = '<dl><dt>Term</dt><dd>Definition</dd></dl>'
expect(markdown(actual)).to match(actual)
end
it 'should sanitize tags that are not whitelisted' do
actual = '<textarea>no inputs allowed</textarea> <blink>no blinks</blink>'
expected = 'no inputs allowed no blinks'
expect(markdown(actual)).to match(expected)
expect(markdown(actual)).not_to match('<.textarea>')
expect(markdown(actual)).not_to match('<.blink>')
end
it 'should allow whitelisted tag attributes from the user' do
actual = '<a class="custom">link text</a>'
expect(markdown(actual)).to match(actual)
end
it 'should sanitize tag attributes that are not whitelisted' do
actual = '<a href="http://example.com/bar.html" foo="bar">link text</a>'
expected = '<a href="http://example.com/bar.html">link text</a>'
expect(markdown(actual)).to match(expected)
end
it 'should sanitize javascript in attributes' do
actual = %q(<a href="javascript:alert('foo')">link text</a>)
expected = '<a>link text</a>'
expect(markdown(actual)).to match(expected)
end
end
describe 'markdown for empty repository' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment