#26790 whitelist style attribute in event_note (!9155) · Merge requests · GitLab.org / GitLab FOSS

M. Hasbini requested to merge 0xbsec/gitlab-ce:26790-label-color-todos into master Feb 11, 2017

What does this MR do?

Whitelist style attribute when sanitizing todo body.

Are there points in the code the reviewer needs to double check?

Tests: if they are in the appropriate file, and if they cover the proposed fix.

Why was this MR needed?

Fix #26790 (closed)

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

Changelog entry added
Documentation created/updated
API support added
Tests
- Added for this feature/bug
- All builds are passing
Conform by the merge request performance guides
Conform by the style guides
Branch has no merge conflicts with master (if it does - rebase it please)
Squashed related commits together

What are the relevant issue numbers?

Closes #26790 (closed)

Rails::Html::WhiteListSanitizer.allowed_attributes have default value the set. href src width height alt cite datetime title class name xml:lang abbr[1]. So the call sanitize(text, tags: %w(a img b pre code p span)) was removing the style attribute from the label span. I've added style attribute to the default set.

[1] https://github.com/rails/rails-html-sanitizer/blob/663bf35d17cf35d0385861902362333a789cc642/lib/rails/html/sanitizer.rb#L110

#26790 whitelist style attribute in event_note