Merge branch...

Merge branch '20857-allow-rel-license-microformat-in-redcarpet-gfm-sanitization-so-that-machine-readable-creative' into 'master' Allow rel="license" microformat for machine-readable Creative Commons attribution See merge request gitlab-org/gitlab!76471

Merge branch...
Merge branch '20857-allow-rel-license-microformat-in-redcarpet-gfm-sanitization-so-that-machine-readable-creative' into 'master' Allow rel="license" microformat for machine-readable Creative Commons attribution See merge request gitlab-org/gitlab!76471
1b73de6c · Max Woolf · eabc3651 · dd445481 · 1b73de6c · 1b73de6c
Commit 1b73de6c authored Dec 16, 2021 by Max Woolf
5 changed files
--- a/doc/user/markdown.md
+++ b/doc/user/markdown.md
@@ -998,6 +998,8 @@ Here's a sample audio clip:

 ### Inline HTML

+> Allowing `rel="license"` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/20857) in GitLab 14.6.
+
 To see the second example of Markdown rendered in HTML,
 [view it in GitLab](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/markdown.md#inline-html).

@@ -1006,6 +1008,7 @@ You can also use raw HTML in your Markdown, and it usually works pretty well.
 See the documentation for HTML::Pipeline's [SanitizationFilter](https://github.com/jch/html-pipeline/blob/v2.12.3/lib/html/pipeline/sanitization_filter.rb#L42)
 class for the list of allowed HTML tags and attributes. In addition to the default
 `SanitizationFilter` allowlist, GitLab allows `span`, `abbr`, `details` and `summary` elements.
+`rel="license"` is allowed on links to support the [Rel-License microformat](https://microformats.org/wiki/rel-license) and license attribution.

 ```html
 <dl>

--- a/lib/banzai/filter/base_sanitization_filter.rb
+++ b/lib/banzai/filter/base_sanitization_filter.rb
@@ -59,7 +59,11 @@ module Banzai
        def remove_rel
          lambda do |env|
            if env[:node_name] == 'a'
-              env[:node].remove_attribute('rel')
+              # we allow rel="license" to support the Rel-license microformat
+              # http://microformats.org/wiki/rel-license
+              unless env[:node].attribute('rel')&.value == 'license'
+                env[:node].remove_attribute('rel')
+              end
            end
          end
        end

--- a/lib/banzai/filter/external_link_filter.rb
+++ b/lib/banzai/filter/external_link_filter.rb
@@ -112,7 +112,9 @@ module Banzai

      def add_nofollow!(uri, node)
        if SCHEMES.include?(uri&.scheme)
+          license = true if node.attribute('rel')&.value == 'license'
          node.set_attribute('rel', 'nofollow noreferrer noopener')
+          node.kwattr_append('rel', 'license') if license
          node.set_attribute('target', '_blank')
        end
      end

--- a/spec/lib/banzai/filter/external_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/external_link_filter_spec.rb
@@ -191,4 +191,15 @@ RSpec.describe Banzai::Filter::ExternalLinkFilter do
      end
    end
  end
+
+  context 'for links that have `rel=license`' do
+    let(:doc) { filter %q(<a rel="license" href="http://example.com">rel-license</a>) }
+
+    it_behaves_like 'an external link with rel attribute'
+
+    it 'maintains rel license' do
+      expect(doc.at_css('a')).to have_attribute('rel')
+      expect(doc.at_css('a')['rel']).to include 'license'
+    end
+  end
 end
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -115,6 +115,11 @@ RSpec.describe Banzai::Filter::SanitizationFilter do
      expect(filter(act).to_html).to eq exp
    end

+    it 'allows `rel=license` in links' do
+      exp = act = '<a rel="license" href="http://example.com">rel-license</a>'
+      expect(filter(act).to_html).to eq exp
+    end
+
    it 'allows `data-math-style` attribute on `code` and `pre` elements' do
      html = <<-HTML
      <pre class="code" data-math-style="inline">something</pre>