Skip to content

G
gitlab-ce
Commit 76db50d6 authored by Phil Hughes's avatar Phil Hughes
Browse files
Options

Fixes gl-emoji's not rendering inside of issue descriptions 

The gl-emoji tag gets sanitized out of the issue description
which means that fallback emojis won't work.
parent 342186c7
Hide whitespace changes
Inline Side-by-side
Showing with 22 additions and 2 deletions
app/assets/javascripts/issue_show/components/description.vue
View file @ 76db50d6
...@@ -123,6 +123,7 @@ export default { ...@@ -123,6 +123,7 @@ export default {
} }
}, },
}, },
safeHtmlConfig: { ADD_TAGS: ['gl-emoji'] },
}; };
</script> </script>
...@@ -136,7 +137,7 @@ export default { ...@@ -136,7 +137,7 @@ export default {
> >
<div <div
ref="gfm-content" ref="gfm-content"
v-safe-html="descriptionHtml" v-safe-html:[$options.safeHtmlConfig]="descriptionHtml"
:class="{ :class="{
'issue-realtime-pre-pulse': preAnimation, 'issue-realtime-pre-pulse': preAnimation,
'issue-realtime-trigger-pulse': pulseAnimation, 'issue-realtime-trigger-pulse': pulseAnimation,
......
app/assets/javascripts/lib/dompurify.js
View file @ 76db50d6
...@@ -3,7 +3,7 @@ import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility'; ...@@ -3,7 +3,7 @@ import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility';
const defaultConfig = { const defaultConfig = {
// Safely allow SVG <use> tags // Safely allow SVG <use> tags
ADD_TAGS: ['use'], ADD_TAGS: ['use', 'gl-emoji'],
// Prevent possible XSS attacks with data-* attributes used by @rails/ujs // Prevent possible XSS attacks with data-* attributes used by @rails/ujs
// See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421 // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421
FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'], FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'],
......
spec/features/issues/issue_detail_spec.rb
View file @ 76db50d6
...@@ -32,6 +32,21 @@ RSpec.describe 'Issue Detail', :js do ...@@ -32,6 +32,21 @@ RSpec.describe 'Issue Detail', :js do
end end
end end
context 'when issue description has emojis' do
let(:issue) { create(:issue, project: project, author: user, description: 'hello world :100:') }
before do
sign_in(user)
visit project_issue_path(project, issue)
end
it 'renders gl-emoji tag' do
page.within('.description') do
expect(page).to have_selector('gl-emoji', count: 1)
end
end
end
context 'when issue description has xss snippet' do context 'when issue description has xss snippet' do
before do before do
issue.update!(description: '![xss" onload=alert(1);//](a)') issue.update!(description: '![xss" onload=alert(1);//](a)')
......
spec/frontend/lib/dompurify_spec.js
View file @ 76db50d6
...@@ -65,6 +65,10 @@ describe('~/lib/dompurify', () => { ...@@ -65,6 +65,10 @@ describe('~/lib/dompurify', () => {
expect(sanitize(htmlXlink)).toBe(htmlXlink); expect(sanitize(htmlXlink)).toBe(htmlXlink);
}); });
it("doesn't sanitize gl-emoji", () => {
expect(sanitize('<p><gl-emoji>💯</gl-emoji></p>')).toBe('<p><gl-emoji>💯</gl-emoji></p>');
});
describe.each` describe.each`
type | gon type | gon
${'root'} | ${rootGon} ${'root'} | ${rootGon}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7