fix(GlButton): use safe link directive (!2191) · Merge requests · GitLab.org / gitlab-ui

Paul Gascou-Vaillancourt requested to merge 1379-button-safe-links into main May 04, 2021

Integration branch: gitlab!60961 (merged)

What does this MR do?

This reapplies the changes from !2155 (merged). They had to be reverted because GitLab actually renders a few legitimate "unsafe" links that rely on Data URLs. We needed a way to bypass the security check on specific links before releasing those changes in GlButton.

To address the initial issues, this MR adds a few more changes:

Creates the SafeLinkMixin mixin. It...
- ...wraps the SafeLink directive.
- ...exposes a isUnsafeLink prop.
- ...is applied to GlLink and GlButton.
The SafeLinkDirective will now skip the transformation step whenever isUnsafeLink is true.
Additional documentation has been added to GlLink and GlButton READMEs to better explain internal security measures.

As a small bonus, the SafeLinkDirective module has been migrated to a named export to satisfy the global ESLint config.

Closes #1379 (closed)

Edited May 12, 2021 by Paul Gascou-Vaillancourt

fix(GlButton): use safe link directive

What does this MR do?

Merge request reports