Commit a183b529 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'rs-allow-name-on-anchors' into 'master'

Re-allow `name` attribute on user-provided anchor HTML

Closes #38196

See merge request gitlab-org/gitlab-ce!14452
parents 26f05621 f6bc4403
---
title: Re-allow `name` attribute on user-provided anchor HTML
merge_request:
author:
type: fixed
...@@ -45,8 +45,9 @@ module Banzai ...@@ -45,8 +45,9 @@ module Banzai
whitelist[:elements].push('abbr') whitelist[:elements].push('abbr')
whitelist[:attributes]['abbr'] = %w(title) whitelist[:attributes]['abbr'] = %w(title)
# Disallow `name` attribute globally # Disallow `name` attribute globally, allow on `a`
whitelist[:attributes][:all].delete('name') whitelist[:attributes][:all].delete('name')
whitelist[:attributes]['a'].push('name')
# Allow any protocol in `a` elements... # Allow any protocol in `a` elements...
whitelist[:protocols].delete('a') whitelist[:protocols].delete('a')
......
...@@ -47,9 +47,11 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -47,9 +47,11 @@ describe Banzai::Filter::SanitizationFilter do
describe 'custom whitelist' do describe 'custom whitelist' do
it 'customizes the whitelist only once' do it 'customizes the whitelist only once' do
instance = described_class.new('Foo') instance = described_class.new('Foo')
control_count = instance.whitelist[:transformers].size
3.times { instance.whitelist } 3.times { instance.whitelist }
expect(instance.whitelist[:transformers].size).to eq 5 expect(instance.whitelist[:transformers].size).to eq control_count
end end
it 'sanitizes `class` attribute from all elements' do it 'sanitizes `class` attribute from all elements' do
...@@ -101,16 +103,18 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -101,16 +103,18 @@ describe Banzai::Filter::SanitizationFilter do
expect(filter(act).to_html).to eq exp expect(filter(act).to_html).to eq exp
end end
it 'disallows the `name` attribute globally' do it 'disallows the `name` attribute globally, allows on `a`' do
html = <<~HTML html = <<~HTML
<img name="getElementById" src=""> <img name="getElementById" src="">
<span name="foo" class="bar">Hi</span> <span name="foo" class="bar">Hi</span>
<a name="foo" class="bar">Bye</a>
HTML HTML
doc = filter(html) doc = filter(html)
expect(doc.at_css('img')).not_to have_attribute('name') expect(doc.at_css('img')).not_to have_attribute('name')
expect(doc.at_css('span')).not_to have_attribute('name') expect(doc.at_css('span')).not_to have_attribute('name')
expect(doc.at_css('a')).to have_attribute('name')
end end
it 'allows `summary` elements' do it 'allows `summary` elements' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment