Re-allow `name` attribute on user-provided anchor HTML

c3bda6c3 · Robert Speicher · f9df0e13 · c3bda6c3 · c3bda6c3 · c3bda6c3
Commit c3bda6c3 authored Sep 22, 2017 by Robert Speicher
3 changed files
--- a/changelogs/unreleased/rs-allow-name-on-anchors.yml
+++ b/changelogs/unreleased/rs-allow-name-on-anchors.yml
+---
+title: Re-allow `name` attribute on user-provided anchor HTML
+merge_request:
+author:
+type: fixed
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -45,8 +45,9 @@ module Banzai
        whitelist[:elements].push('abbr')
        whitelist[:attributes]['abbr'] = %w(title)

-        # Disallow `name` attribute globally
+        # Disallow `name` attribute globally, allow on `a`
        whitelist[:attributes][:all].delete('name')
+        whitelist[:attributes]['a'].push('name')

        # Allow any protocol in `a` elements...
        whitelist[:protocols].delete('a')

--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -101,16 +101,18 @@ describe Banzai::Filter::SanitizationFilter do
      expect(filter(act).to_html).to eq exp
    end

-    it 'disallows the `name` attribute globally' do
+    it 'disallows the `name` attribute globally, allows on `a`' do
      html = <<~HTML
        <img name="getElementById" src="">
        <span name="foo" class="bar">Hi</span>
+        <a name="foo" class="bar">Bye</a>
      HTML

      doc = filter(html)

      expect(doc.at_css('img')).not_to have_attribute('name')
      expect(doc.at_css('span')).not_to have_attribute('name')
+      expect(doc.at_css('a')).to have_attribute('name')
    end

    it 'allows `summary` elements' do