Merge branch 'jswain_whats_target_blank' into 'master'

Whats new content links open in a new tab

See merge request gitlab-org/gitlab!61954

app/assets/javascripts/whats_new/components/feature.vue

@@ -30,6 +30,7 @@ export default {
       return dateInWords(date);
     },
   },
+  safeHtmlConfig: { ADD_ATTR: ['target'] },
 };
 </script>
 
@@ -71,7 +72,10 @@ export default {
         <gl-icon name="license" />{{ packageName }}
       </gl-badge>
     </div>
-    <div v-safe-html="feature.body" class="gl-pt-3 gl-line-height-20"></div>
+    <div
+      v-safe-html:[$options.safeHtmlConfig]="feature.body"
+      class="gl-pt-3 gl-line-height-20"
+    ></div>
     <gl-button
       :href="feature.url"
       target="_blank"

app/models/release_highlight.rb

@@ -33,7 +33,7 @@ class ReleaseHighlight
       next unless include_item?(item)
 
       begin
-        item.tap {|i| i['body'] = Kramdown::Document.new(i['body']).to_html }
+        item.tap {|i| i['body'] = Banzai.render(i['body'], { project: nil }) }
       rescue StandardError => e
         Gitlab::ErrorTracking.track_exception(e, file_path: file_path)
 

spec/fixtures/whats_new/20201225_01_05.yml

 ---
 - title: bright and sunshinin' day
   body: |
-    ## bright and sunshinin' day
+    bright and sunshinin' [day](https://en.wikipedia.org/wiki/Day)
   self-managed: true
   gitlab-com: false
   packages: ["Premium", "Ultimate"]

spec/frontend/whats_new/components/feature_spec.js

@@ -8,7 +8,7 @@ describe("What's new single feature", () => {
   const exampleFeature = {
     title: 'Compliance pipeline configurations',
     body:
-      '<p>We are thrilled to announce that it is now possible to define enforceable pipelines that will run for any project assigned a corresponding compliance framework.</p>',
+      '<p data-testid="body-content">We are thrilled to announce that it is now possible to define enforceable pipelines that will run for any project assigned a corresponding <a href="https://en.wikipedia.org/wiki/Compliance_(psychology)" target="_blank" rel="noopener noreferrer" onload="alert(xss)">compliance</a> framework.</p>',
     stage: 'Manage',
     'self-managed': true,
     'gitlab-com': true,
@@ -20,6 +20,7 @@ describe("What's new single feature", () => {
   };
 
   const findReleaseDate = () => wrapper.find('[data-testid="release-date"]');
+  const findBodyAnchor = () => wrapper.find('[data-testid="body-content"] a');
 
   const createWrapper = ({ feature } = {}) => {
     wrapper = shallowMount(Feature, {
@@ -43,4 +44,13 @@ describe("What's new single feature", () => {
       expect(findReleaseDate().exists()).toBe(false);
     });
   });
+
+  it('safe-html config allows target attribute on elements', () => {
+    createWrapper({ feature: exampleFeature });
+    expect(findBodyAnchor().attributes()).toEqual({
+      href: expect.any(String),
+      rel: 'noopener noreferrer',
+      target: '_blank',
+    });
+  });
 });

spec/models/release_highlight_spec.rb

@@ -67,12 +67,12 @@ RSpec.describe ReleaseHighlight, :clean_gitlab_redis_cache do
         expect(subject[:next_page]).to eq(2)
       end
 
-      it 'parses the body as markdown and returns html' do
-        expect(subject[:items].first['body']).to match("<h2 id=\"bright-and-sunshinin-day\">bright and sunshinin’ day</h2>")
+      it 'parses the body as markdown and returns html, and links are target="_blank"' do
+        expect(subject[:items].first['body']).to match('<p data-sourcepos="1:1-1:62" dir="auto">bright and sunshinin\' <a href="https://en.wikipedia.org/wiki/Day" rel="nofollow noreferrer noopener" target="_blank">day</a></p>')
       end
 
       it 'logs an error if theres an error parsing markdown for an item, and skips it' do
-        allow(Kramdown::Document).to receive(:new).and_raise
+        allow(Banzai).to receive(:render).and_raise
 
         expect(Gitlab::ErrorTracking).to receive(:track_exception)
         expect(subject[:items]).to be_empty