Resolve "Markers, ticks and labels in SVG images in Jupyter notebooks are not rendered"

3cf8580f · Eduardo Bonet · Natalia Tepluhina · b9b54edc · 3cf8580f · 3cf8580f
Commit 3cf8580f authored Sep 08, 2021 by Eduardo Bonet Committed by Natalia Tepluhina Sep 08, 2021
3 changed files
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
@@ -16,7 +16,7 @@ const getAllowedIconUrls = (gon = window.gon) =>
 const isUrlAllowed = (url) => getAllowedIconUrls().some((allowedUrl) => url.startsWith(allowedUrl));
 const isHrefSafe = (url) =>
-  isUrlAllowed(url) || isUrlAllowed(relativePathToAbsolute(url, getBaseURL()));
+  isUrlAllowed(url) || isUrlAllowed(relativePathToAbsolute(url, getBaseURL())) || url.match(/^#/);
 const removeUnsafeHref = (node, attr) => {
  if (!node.hasAttribute(attr)) {

--- a/app/assets/javascripts/notebook/cells/output/html.vue
+++ b/app/assets/javascripts/notebook/cells/output/html.vue
@@ -28,12 +28,15 @@ export default {
      return this.index === 0;
    },
  },
+  safeHtmlConfig: {
+    ADD_TAGS: ['use'], // to support icon SVGs
+  },
 };
 </script>
 <template>
  <div class="output">
    <prompt type="Out" :count="count" :show-output="showOutput" />
-    <div v-safe-html="rawCode" class="gl-overflow-auto"></div>
+    <div v-safe-html:[$options.safeHtmlConfig]="rawCode" class="gl-overflow-auto"></div>
  </div>
 </template>
--- a/spec/frontend/lib/dompurify_spec.js
+++ b/spec/frontend/lib/dompurify_spec.js
@@ -57,6 +57,14 @@ describe('~/lib/dompurify', () => {
    });
  });
+  it("doesn't sanitize local references", () => {
+    const htmlHref = `<svg><use href="#some-element"></use></svg>`;
+    const htmlXlink = `<svg><use xlink:href="#some-element"></use></svg>`;
+    expect(sanitize(htmlHref)).toBe(htmlHref);
+    expect(sanitize(htmlXlink)).toBe(htmlXlink);
+  });
  describe.each`
    type          | gon
    ${'root'}     | ${rootGon}