Don't allow style attributes in inline HTML

cc29ce49 · Vinnie Okada · 52bf95ae · cc29ce49 · cc29ce49
Commit cc29ce49 authored Mar 21, 2015 by Vinnie Okada
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

CHANGELOG CHANGELOG +1 -0

lib/gitlab/markdown.rb lib/gitlab/markdown.rb +1 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
 Please view this file on the master branch, on stable branches it's out of date.

 v 7.10.0 (unreleased)
+  - Allow HTML tags in Markdown input

 v 7.9.0 (unreleased)
  - Add HipChat integration documentation (Stan Hu)

--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -88,7 +88,7 @@ module Gitlab
      ]

      whitelist = HTML::Pipeline::SanitizationFilter::WHITELIST
-      whitelist[:attributes][:all].push('class', 'id', 'style')
+      whitelist[:attributes][:all].push('class', 'id')

      # Remove the rel attribute that the sanitize gem adds, and remove the
      # href attribute if it contains inline javascript