Disallow @rails/ujs data-* attributes in v-safe-html
The default DOMPurify configuration allows any and all data-*
attributes. But, @rails/ujs
(Rails Unobtrusive JavaScript) uses these dataset attributes as hooks to set up behaviours, which can lead to XSS attacks (e.g., gitlab#294128 (closed)).
It's not immediately obvious which dataset attributes in particular should be blocked. I think data-remote
is the most dangerous one, but there might be others.
While I think GitLab still relies on @rails/ujs
for some features, it probably isn't passing these through DOMPurify, so we should be able to simply denylist these.
Edited by Mark Florian