Commit a183b529 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'rs-allow-name-on-anchors' into 'master'

Re-allow `name` attribute on user-provided anchor HTML

Closes #38196

See merge request gitlab-org/gitlab-ce!14452
parents 26f05621 f6bc4403
Pipeline #12098300 passed with stages
in 98 minutes and 15 seconds
---
title: Re-allow `name` attribute on user-provided anchor HTML
merge_request:
author:
type: fixed
......@@ -45,8 +45,9 @@ module Banzai
whitelist[:elements].push('abbr')
whitelist[:attributes]['abbr'] = %w(title)
# Disallow `name` attribute globally
# Disallow `name` attribute globally, allow on `a`
whitelist[:attributes][:all].delete('name')
whitelist[:attributes]['a'].push('name')
# Allow any protocol in `a` elements...
whitelist[:protocols].delete('a')
......
......@@ -47,9 +47,11 @@ describe Banzai::Filter::SanitizationFilter do
describe 'custom whitelist' do
it 'customizes the whitelist only once' do
instance = described_class.new('Foo')
control_count = instance.whitelist[:transformers].size
3.times { instance.whitelist }
expect(instance.whitelist[:transformers].size).to eq 5
expect(instance.whitelist[:transformers].size).to eq control_count
end
it 'sanitizes `class` attribute from all elements' do
......@@ -101,16 +103,18 @@ describe Banzai::Filter::SanitizationFilter do
expect(filter(act).to_html).to eq exp
end
it 'disallows the `name` attribute globally' do
it 'disallows the `name` attribute globally, allows on `a`' do
html = <<~HTML
<img name="getElementById" src="">
<span name="foo" class="bar">Hi</span>
<a name="foo" class="bar">Bye</a>
HTML
doc = filter(html)
expect(doc.at_css('img')).not_to have_attribute('name')
expect(doc.at_css('span')).not_to have_attribute('name')
expect(doc.at_css('a')).to have_attribute('name')
end
it 'allows `summary` elements' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment