Commit 46696bde authored by Paco Guzman's avatar Paco Guzman

Banzai::Filter::UploadLinkFilter use XPath

parent 1b43f51a
...@@ -118,6 +118,7 @@ v 8.8.5 ...@@ -118,6 +118,7 @@ v 8.8.5
- Prevent unauthorized access for projects build traces - Prevent unauthorized access for projects build traces
- Forbid scripting for wiki files - Forbid scripting for wiki files
- Only show notes through JSON on confidential issues that the user has access to - Only show notes through JSON on confidential issues that the user has access to
- Banzai::Filter::UploadLinkFilter use XPath instead CSS expressions
v 8.8.4 v 8.8.4
- Fix LDAP-based login for users with 2FA enabled. !4493 - Fix LDAP-based login for users with 2FA enabled. !4493
......
...@@ -10,11 +10,11 @@ module Banzai ...@@ -10,11 +10,11 @@ module Banzai
def call def call
return doc unless project return doc unless project
doc.search('a').each do |el| doc.xpath('descendant-or-self::a[starts-with(@href, "/uploads/")]').each do |el|
process_link_attr el.attribute('href') process_link_attr el.attribute('href')
end end
doc.search('img').each do |el| doc.xpath('descendant-or-self::img[starts-with(@src, "/uploads/")]').each do |el|
process_link_attr el.attribute('src') process_link_attr el.attribute('src')
end end
...@@ -24,12 +24,7 @@ module Banzai ...@@ -24,12 +24,7 @@ module Banzai
protected protected
def process_link_attr(html_attr) def process_link_attr(html_attr)
return if html_attr.blank? html_attr.value = build_url(html_attr.value).to_s
uri = html_attr.value
if uri.starts_with?("/uploads/")
html_attr.value = build_url(uri).to_s
end
end end
def build_url(uri) def build_url(uri)
......
...@@ -23,6 +23,14 @@ describe Banzai::Filter::UploadLinkFilter, lib: true do ...@@ -23,6 +23,14 @@ describe Banzai::Filter::UploadLinkFilter, lib: true do
%(<a href="#{path}">#{path}</a>) %(<a href="#{path}">#{path}</a>)
end end
def nested_image(path)
%(<div><img src="#{path}" /></div>)
end
def nested_link(path)
%(<div><a href="#{path}">#{path}</a></div>)
end
let(:project) { create(:project) } let(:project) { create(:project) }
shared_examples :preserve_unchanged do shared_examples :preserve_unchanged do
...@@ -47,11 +55,19 @@ describe Banzai::Filter::UploadLinkFilter, lib: true do ...@@ -47,11 +55,19 @@ describe Banzai::Filter::UploadLinkFilter, lib: true do
doc = filter(link('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg')) doc = filter(link('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg'))
expect(doc.at_css('a')['href']). expect(doc.at_css('a')['href']).
to eq "#{Gitlab.config.gitlab.url}/#{project.path_with_namespace}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg" to eq "#{Gitlab.config.gitlab.url}/#{project.path_with_namespace}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
doc = filter(nested_link('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg'))
expect(doc.at_css('a')['href']).
to eq "#{Gitlab.config.gitlab.url}/#{project.path_with_namespace}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
end end
it 'rebuilds relative URL for an image' do it 'rebuilds relative URL for an image' do
doc = filter(link('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg')) doc = filter(image('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg'))
expect(doc.at_css('a')['href']). expect(doc.at_css('img')['src']).
to eq "#{Gitlab.config.gitlab.url}/#{project.path_with_namespace}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
doc = filter(nested_image('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg'))
expect(doc.at_css('img')['src']).
to eq "#{Gitlab.config.gitlab.url}/#{project.path_with_namespace}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg" to eq "#{Gitlab.config.gitlab.url}/#{project.path_with_namespace}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment