Merge branch 'fix-markdown-spec' into 'master'

Add whitelisted elements correctly in sanitization Add whitelisted elements correctly in sanitization Consider this command: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>', pipeline: :description) puts markdown('<span>this is a span</span>')" And the same in the opposite order: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>') puts markdown('<span>this is a span</span>', pipeline: :description)" Before this change, they would both output: <p><span>this is a span</span></p> <p>this is a span</p> That's because `span` is added to the list of whitelisted elements in the `SanitizationFilter`, but this method tries not to make the same changes multiple times. Unfortunately, `HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the `DescriptionPipeline`, uses the same Ruby objects for all of its hash values _except_ `:elements`. That means that whichever of `DescriptionPipeline` and `GfmPipeline` is called first would have `span` in its whitelisted elements, and the second wouldn't. Fix this by adding a special check for modifying `:elements` twice, then checking `:transformers` as before. See merge request !4588

Merge branch 'fix-markdown-spec' into 'master'
Add whitelisted elements correctly in sanitization Add whitelisted elements correctly in sanitization Consider this command: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>', pipeline: :description) puts markdown('<span>this is a span</span>')" And the same in the opposite order: bundle exec rails r "include GitlabMarkdownHelper puts markdown('<span>this is a span</span>') puts markdown('<span>this is a span</span>', pipeline: :description)" Before this change, they would both output: <p><span>this is a span</span></p> <p>this is a span</p> That's because `span` is added to the list of whitelisted elements in the `SanitizationFilter`, but this method tries not to make the same changes multiple times. Unfortunately, `HTML::Pipeline::SanitizationFilter::LIMITED`, which is used by the `DescriptionPipeline`, uses the same Ruby objects for all of its hash values _except_ `:elements`. That means that whichever of `DescriptionPipeline` and `GfmPipeline` is called first would have `span` in its whitelisted elements, and the second wouldn't. Fix this by adding a special check for modifying `:elements` twice, then checking `:transformers` as before. See merge request !4588
066020fc · Douwe Maan · 0c0ef7df · 03d2bf14 · 066020fc
Commit 066020fc authored Jun 14, 2016 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 12 deletions

lib/banzai/pipeline/description_pipeline.rb lib/banzai/pipeline/description_pipeline.rb +5 -12

No files found.
--- a/lib/banzai/pipeline/description_pipeline.rb
+++ b/lib/banzai/pipeline/description_pipeline.rb
 module Banzai
  module Pipeline
    class DescriptionPipeline < FullPipeline
+      WHITELIST = Banzai::Filter::SanitizationFilter::LIMITED.deep_dup.merge(
+        elements: Banzai::Filter::SanitizationFilter::LIMITED[:elements] - %w(pre code img ol ul li)
+      )
+
      def self.transform_context(context)
        super(context).merge(
          # SanitizationFilter
-          whitelist: whitelist
+          whitelist: WHITELIST
        )
      end
-
-      private
-
-      def self.whitelist
-        # Descriptions are more heavily sanitized, allowing only a few elements.
-        # See http://git.io/vkuAN
-        whitelist = Banzai::Filter::SanitizationFilter::LIMITED
-        whitelist[:elements] -= %w(pre code img ol ul li)
-
-        whitelist
-      end
    end
  end
 end