Jira private links with paperclip icons

In the Jira Issue Detail page, this adds the paperclip icon before the
Jira private image links.

app/assets/stylesheets/framework/typography.scss

@@ -430,8 +430,7 @@
     }
   }
 
-  a[href*='/uploads/'],
-  a[href*='storage.googleapis.com/google-code-attachments/'] {
+  a.with-attachment-icon {
     &::before {
       margin-right: 4px;
 
@@ -441,6 +440,11 @@
       -webkit-font-smoothing: antialiased;
       content: '📎';
     }
+  }
+
+  a[href*='/uploads/'],
+  a[href*='storage.googleapis.com/google-code-attachments/'] {
+    @extend .with-attachment-icon;
 
     &.no-attachment-icon {
       &::before {

ee/lib/banzai/filter/jira_private_image_link_filter.rb

@@ -5,13 +5,14 @@ module Banzai
     # HTML filter that replaces the Jira private images with the link to the image.
     class JiraPrivateImageLinkFilter < HTML::Pipeline::Filter
       PRIVATE_IMAGE_PATH = '/secure/attachment/'
+      CSS_WITH_ATTACHMENT_ICON = 'with-attachment-icon'
 
       def call
         doc.xpath('descendant-or-self::img').each do |img|
           next unless img['src'].start_with?(PRIVATE_IMAGE_PATH)
 
           img_link = "#{project.jira_service.url}#{img['src']}"
-          link = "<a href=\"#{img_link}\">#{img_link}</a>"
+          link = "<a class=\"#{CSS_WITH_ATTACHMENT_ICON}\" href=\"#{img_link}\">#{img_link}</a>"
 
           img.replace(link)
         end

ee/lib/ee/banzai/filter/sanitization_filter.rb

+# frozen_string_literal: true
+
+module EE
+  module Banzai
+    module Filter
+      module SanitizationFilter
+        extend ::Gitlab::Utils::Override
+        extend ActiveSupport::Concern
+
+        override :customize_allowlist
+        def customize_allowlist(allowlist)
+          # Remove any `class` property not required for a
+          allowlist[:attributes]['a'].push('class')
+          allowlist[:transformers].push(self.class.remove_unsafe_a_class)
+
+          super(allowlist)
+        end
+
+        class_methods do
+          def remove_unsafe_a_class
+            lambda do |env|
+              node = env[:node]
+
+              return unless node.name == 'a'
+              return unless node.has_attribute?('class')
+
+              return if node['class'] == ::Banzai::Filter::JiraPrivateImageLinkFilter::CSS_WITH_ATTACHMENT_ICON
+
+              node.remove_attribute('class')
+            end
+          end
+        end
+      end
+    end
+  end
+end

ee/spec/lib/banzai/filter/jira_private_image_link_filter_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe Banzai::Filter::JiraPrivateImageLinkFilter do
     it 'replaces the Jira private images with the link to the image' do
       doc = filter("<img src=\"#{img_link}\">", context)
 
-      expect(doc.to_html).to eq("<a href=\"#{jira_service.url}#{img_link}\">#{jira_service.url}#{img_link}</a>")
+      expect(doc.to_html).to eq("<a class=\"with-attachment-icon\" href=\"#{jira_service.url}#{img_link}\">#{jira_service.url}#{img_link}</a>")
     end
   end
 

ee/spec/lib/ee/banzai/filter/sanitization_filter_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Banzai::Filter::SanitizationFilter do
+  include FilterSpecHelper
+
+  describe 'custom allowlist' do
+    it 'sanitizes `class` attribute from a' do
+      act = '<a class="k" href="http://example.com/url">Link</a>'
+
+      expect(filter(act).to_html).to eq('<a href="http://example.com/url">Link</a>')
+    end
+
+    it 'allows `with-attachment-icon` class in `a` elements' do
+      html = '<a class="with-attachment-icon" href="http://example.com/jira.png">http://example.com/jira.png</a>'
+
+      doc = filter(html)
+
+      expect(doc.at_css('a')['class']).to eq('with-attachment-icon')
+    end
+  end
+end

lib/banzai/filter/sanitization_filter.rb

@@ -64,3 +64,5 @@ module Banzai
     end
   end
 end
+
+Banzai::Filter::SanitizationFilter.prepend_if_ee('EE::Banzai::Filter::SanitizationFilter')