Commit 4f15096c authored by Stan Hu's avatar Stan Hu

Update sanitize to v6.0.0

This requires Nokogiri v1.12 and eliminates Nokogumbo as Nokogiri
includes both.
parent e3c195f6
......@@ -264,7 +264,7 @@ gem 'ruby-fogbugz', '~> 0.2.1'
gem 'kubeclient', '~> 4.9.2'
# Sanitize user input
gem 'sanitize', '~> 5.2.1'
gem 'sanitize', '~> 6.0'
gem 'babosa', '~> 1.0.4'
# Sanitizes SVG input
......
......@@ -795,8 +795,6 @@ GEM
nokogiri (1.12.5)
mini_portile2 (~> 2.6.1)
racc (~> 1.4)
nokogumbo (2.0.2)
nokogiri (~> 1.8, >= 1.8.4)
notiffany (0.1.3)
nenv (~> 0.1)
shellany (~> 0.0)
......@@ -1144,10 +1142,9 @@ GEM
safe_yaml (1.0.4)
safety_net_attestation (0.4.0)
jwt (~> 2.0)
sanitize (5.2.1)
sanitize (6.0.0)
crass (~> 1.0.2)
nokogiri (>= 1.8.0)
nokogumbo (~> 2.0)
nokogiri (>= 1.12.0)
sass (3.5.5)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
......@@ -1624,7 +1621,7 @@ DEPENDENCIES
ruby_parser (~> 3.15)
rubyzip (~> 2.0.0)
rugged (~> 1.2)
sanitize (~> 5.2.1)
sanitize (~> 6.0)
sassc-rails (~> 2.1.0)
sd_notify (~> 0.1.0)
seed-fu (~> 2.3.7)
......
......@@ -42,7 +42,7 @@ module Banzai
# Allow any protocol in `a` elements
# and then remove links with unsafe protocols
allowlist[:protocols].delete('a')
allowlist[:transformers].push(self.class.method(:remove_unsafe_links))
allowlist[:transformers].push(self.class.method(:sanitize_unsafe_links))
# Remove `rel` attribute from `a` elements
allowlist[:transformers].push(self.class.remove_rel)
......
......@@ -8,6 +8,12 @@ module Gitlab
UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze
ATTRS_TO_SANITIZE = %w(href src data-src data-canonical-src).freeze
# sanitize 6.0 requires only a context argument. Do not add any default
# arguments to this method.
def sanitize_unsafe_links(env)
remove_unsafe_links(env)
end
def remove_unsafe_links(env, remove_invalid_links: true)
node = env[:node]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment