Commit 9e7a9c63 authored by Robert Speicher's avatar Robert Speicher

Further limit the limited whitelist for project/group descriptions

parent 79c4e389
...@@ -12,6 +12,7 @@ module Gitlab ...@@ -12,6 +12,7 @@ module Gitlab
# See http://git.io/vkuAN # See http://git.io/vkuAN
if pipeline == :description if pipeline == :description
whitelist = LIMITED whitelist = LIMITED
whitelist[:elements] -= %w(pre code img ol ul li)
else else
whitelist = super whitelist = super
end end
......
...@@ -95,8 +95,23 @@ module Gitlab::Markdown ...@@ -95,8 +95,23 @@ module Gitlab::Markdown
context 'when pipeline is :description' do context 'when pipeline is :description' do
it 'uses a stricter whitelist' do it 'uses a stricter whitelist' do
doc = filter('<h1>My Project</h1>', pipeline: :description) doc = filter('<h1>Description</h1>', pipeline: :description)
expect(doc.to_html.strip).to eq 'My Project' expect(doc.to_html.strip).to eq 'Description'
end
%w(pre code img ol ul li).each do |elem|
it "removes '#{elem}' elements" do
act = "<#{elem}>Description</#{elem}>"
expect(filter(act, pipeline: :description).to_html.strip).
to eq 'Description'
end
end
%w(b i strong em a ins del sup sub p).each do |elem|
it "still allows '#{elem}' elements" do
exp = act = "<#{elem}>Description</#{elem}>"
expect(filter(act, pipeline: :description).to_html).to eq exp
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment