Commit 40ed2163 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'rs-issue-36104' into 'security-9-5'

[9.5] Disallow the `name` attribute on all user-provided markup

See merge request gitlab/gitlabhq!2166
parents e7757486 d230224f
...@@ -6,4 +6,4 @@ ...@@ -6,4 +6,4 @@
This Route Map is invalid: This Route Map is invalid:
= viewer.validation_message = viewer.validation_message
= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map') = link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment')
= icon('spinner spin fw') = icon('spinner spin fw')
Validating Route Map… Validating Route Map…
= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map') = link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment')
---
title: Disallow the `name` attribute on all user-provided markup
merge_request:
author:
...@@ -448,8 +448,7 @@ and/or `production`) you can see this information in the merge request itself. ...@@ -448,8 +448,7 @@ and/or `production`) you can see this information in the merge request itself.
![Environment URLs in merge request](img/environments_link_url_mr.png) ![Environment URLs in merge request](img/environments_link_url_mr.png)
### <a name="route-map"></a>Go directly from source files to public pages on the environment ### Go directly from source files to public pages on the environment
> Introduced in GitLab 8.17. > Introduced in GitLab 8.17.
......
...@@ -75,7 +75,7 @@ log_bin_trust_function_creators=1 ...@@ -75,7 +75,7 @@ log_bin_trust_function_creators=1
### MySQL utf8mb4 support ### MySQL utf8mb4 support
After installation or upgrade, remember to [convert any new tables](#convert) to `utf8mb4`/`utf8mb4_general_ci`. After installation or upgrade, remember to [convert any new tables](#tables-and-data-conversion-to-utf8mb4) to `utf8mb4`/`utf8mb4_general_ci`.
--- ---
...@@ -230,7 +230,6 @@ We need to check, enable and probably convert your existing GitLab DB tables to ...@@ -230,7 +230,6 @@ We need to check, enable and probably convert your existing GitLab DB tables to
> Now, ensure that [innodb_file_format](https://dev.mysql.com/doc/refman/5.6/en/tablespace-enabling.html) and [innodb_large_prefix](http://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_large_prefix) are **persisted** in your `my.cnf` file. > Now, ensure that [innodb_file_format](https://dev.mysql.com/doc/refman/5.6/en/tablespace-enabling.html) and [innodb_large_prefix](http://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_large_prefix) are **persisted** in your `my.cnf` file.
#### Tables and data conversion to utf8mb4 #### Tables and data conversion to utf8mb4
<a name="convert"></a>
Now that you have a persistent MySQL setup, you can safely upgrade tables after setup or upgrade time: Now that you have a persistent MySQL setup, you can safely upgrade tables after setup or upgrade time:
......
...@@ -43,6 +43,9 @@ module Banzai ...@@ -43,6 +43,9 @@ module Banzai
whitelist[:elements].push('abbr') whitelist[:elements].push('abbr')
whitelist[:attributes]['abbr'] = %w(title) whitelist[:attributes]['abbr'] = %w(title)
# Disallow `name` attribute globally
whitelist[:attributes][:all].delete('name')
# Allow any protocol in `a` elements... # Allow any protocol in `a` elements...
whitelist[:protocols].delete('a') whitelist[:protocols].delete('a')
......
...@@ -288,8 +288,6 @@ describe 'Copy as GFM', js: true do ...@@ -288,8 +288,6 @@ describe 'Copy as GFM', js: true do
'SanitizationFilter', 'SanitizationFilter',
<<-GFM.strip_heredoc <<-GFM.strip_heredoc
<a name="named-anchor"></a>
<sub>sub</sub> <sub>sub</sub>
<dl> <dl>
......
...@@ -87,6 +87,18 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -87,6 +87,18 @@ describe Banzai::Filter::SanitizationFilter do
expect(filter(act).to_html).to eq exp expect(filter(act).to_html).to eq exp
end end
it 'disallows the `name` attribute globally' do
html = <<~HTML
<img name="getElementById" src="">
<span name="foo" class="bar">Hi</span>
HTML
doc = filter(html)
expect(doc.at_css('img')).not_to have_attribute('name')
expect(doc.at_css('span')).not_to have_attribute('name')
end
it 'allows `summary` elements' do it 'allows `summary` elements' do
exp = act = '<summary>summary line</summary>' exp = act = '<summary>summary line</summary>'
expect(filter(act).to_html).to eq exp expect(filter(act).to_html).to eq exp
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment