Fix description and GFM pipelines conflicting

Consider this command: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>', pipeline: :description) puts markdown('<span>this is a span</span>')" And the same in the opposite order: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>') puts markdown('<span>this is a span</span>', pipeline: :description)" Before this change, they would both output: <p><span>this is a span</span></p> <p>this is a span</p> That's because `span` is added to the list of whitelisted elements in the `SanitizationFilter`, but this method tries not to make the same changes multiple times. Unfortunately, `HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the `DescriptionPipeline`, uses the same Ruby objects for all of its hash values _except_ `:elements`. That means that whichever of `DescriptionPipeline` and `GfmPipeline` is called first would have `span` in its whitelisted elements, and the second wouldn't. Fix this by creating an entirely separate hash, before either pipeline is invoked.

Fix description and GFM pipelines conflicting
Consider this command: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>', pipeline: :description) puts markdown('<span>this is a span</span>')" And the same in the opposite order: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>') puts markdown('<span>this is a span</span>', pipeline: :description)" Before this change, they would both output: <p><span>this is a span</span></p> <p>this is a span</p> That's because `span` is added to the list of whitelisted elements in the `SanitizationFilter`, but this method tries not to make the same changes multiple times. Unfortunately, `HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the `DescriptionPipeline`, uses the same Ruby objects for all of its hash values _except_ `:elements`. That means that whichever of `DescriptionPipeline` and `GfmPipeline` is called first would have `span` in its whitelisted elements, and the second wouldn't. Fix this by creating an entirely separate hash, before either pipeline is invoked.
03d2bf14 · Sean McGivern · cfc99bbd · 03d2bf14
Commit 03d2bf14 authored Jun 13, 2016 by Sean McGivern
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 12 deletions

lib/banzai/pipeline/description_pipeline.rb lib/banzai/pipeline/description_pipeline.rb +5 -12

No files found.
--- a/lib/banzai/pipeline/description_pipeline.rb
+++ b/lib/banzai/pipeline/description_pipeline.rb
 module Banzai
  module Pipeline
    class DescriptionPipeline < FullPipeline
+      WHITELIST = Banzai::Filter::SanitizationFilter::LIMITED.deep_dup.merge(
+        elements: Banzai::Filter::SanitizationFilter::LIMITED[:elements] - %w(pre code img ol ul li)
+      )
      def self.transform_context(context)
        super(context).merge(
          # SanitizationFilter
-          whitelist: whitelist
+          whitelist: WHITELIST
        )
      end
-      private
-      def self.whitelist
-        # Descriptions are more heavily sanitized, allowing only a few elements.
-        # See http://git.io/vkuAN
-        whitelist = Banzai::Filter::SanitizationFilter::LIMITED
-        whitelist[:elements] -= %w(pre code img ol ul li)
-        whitelist
-      end
    end
  end
 end