Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e1a77fa7
Commit
e1a77fa7
authored
Jun 15, 2018
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Whitelist text-align property for th and td
parent
bc2cf82f
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
13 additions
and
2 deletions
+13
-2
lib/banzai/filter/sanitization_filter.rb
lib/banzai/filter/sanitization_filter.rb
+2
-1
spec/lib/banzai/filter/sanitization_filter_spec.rb
spec/lib/banzai/filter/sanitization_filter_spec.rb
+11
-1
No files found.
lib/banzai/filter/sanitization_filter.rb
View file @
e1a77fa7
...
...
@@ -25,10 +25,11 @@ module Banzai
# Only push these customizations once
return
if
customized?
(
whitelist
[
:transformers
])
# Allow table alignment; we whitelist specific
style properti
es in a
# Allow table alignment; we whitelist specific
text-align valu
es in a
# transformer below
whitelist
[
:attributes
][
'th'
]
=
%w(style)
whitelist
[
:attributes
][
'td'
]
=
%w(style)
whitelist
[
:css
]
=
{
properties:
[
'text-align'
]
}
# Allow span elements
whitelist
[
:elements
].
push
(
'span'
)
...
...
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file @
e1a77fa7
...
...
@@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do
expect
(
doc
.
at_css
(
'td'
)[
'style'
]).
to
eq
'text-align: center'
end
it
'disallows `text-align` property in `style` attribute on other elements'
do
html
=
<<~
HTML
<div style="text-align: center">Text</div>
HTML
doc
=
filter
(
html
)
expect
(
doc
.
at_css
(
'div'
)[
'style'
]).
to
be_nil
end
it
'allows `span` elements'
do
exp
=
act
=
%q{<span>Hello</span>}
expect
(
filter
(
act
).
to_html
).
to
eq
exp
...
...
@@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do
'protocol-based JS injection: spaces and entities'
=>
{
input:
'<a href="  javascript:alert(\'XSS\');">foo</a>'
,
output:
'<a href
=""
>foo</a>'
output:
'<a href>foo</a>'
},
'protocol whitespace'
=>
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment