Merge branch 'djadmin-fix-dompurify-configuration' into 'master'

Prevent overriding DOMPurify's default config with custom configuration See merge request gitlab-org/gitlab!69269

Merge branch 'djadmin-fix-dompurify-configuration' into 'master'
Prevent overriding DOMPurify's default config with custom configuration See merge request gitlab-org/gitlab!69269
6434079d · Natalia Tepluhina · 23716539 · de0647b6 · 6434079d · 6434079d
Commit 6434079d authored Sep 01, 2021 by Natalia Tepluhina
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 1 deletion

app/assets/javascripts/lib/dompurify.js app/assets/javascripts/lib/dompurify.js +1 -1

spec/frontend/lib/dompurify_spec.js spec/frontend/lib/dompurify_spec.js +13 -0

No files found.
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
@@ -52,4 +52,4 @@ addHook('afterSanitizeAttributes', (node) => {
  }
 });
-export const sanitize = (val, config = defaultConfig) => dompurifySanitize(val, config);
+export const sanitize = (val, config) => dompurifySanitize(val, { ...defaultConfig, ...config });
--- a/spec/frontend/lib/dompurify_spec.js
+++ b/spec/frontend/lib/dompurify_spec.js
@@ -44,6 +44,19 @@ describe('~/lib/dompurify', () => {
    expect(sanitize('<strong></strong>', { ALLOWED_TAGS: [] })).toBe('');
  });
+  describe('includes default configuration', () => {
+    it('with empty config', () => {
+      const svgIcon = '<svg width="100"><use></use></svg>';
+      expect(sanitize(svgIcon, {})).toBe(svgIcon);
+    });
+    it('with valid config', () => {
+      expect(sanitize('<a href="#" data-remote="true"></a>', { ALLOWED_TAGS: ['a'] })).toBe(
+        '<a href="#"></a>',
+      );
+    });
+  });
  describe.each`
    type          | gon
    ${'root'}     | ${rootGon}