Merge branch 'rs-allow-name-on-anchors' into 'master'

Re-allow `name` attribute on user-provided anchor HTML

Closes #38196

See merge request gitlab-org/gitlab-ce!14452

changelogs/unreleased/rs-allow-name-on-anchors.yml

+---
+title: Re-allow `name` attribute on user-provided anchor HTML
+merge_request:
+author:
+type: fixed

lib/banzai/filter/sanitization_filter.rb

@@ -45,8 +45,9 @@ module Banzai
         whitelist[:elements].push('abbr')
         whitelist[:attributes]['abbr'] = %w(title)
 
-        # Disallow `name` attribute globally
+        # Disallow `name` attribute globally, allow on `a`
         whitelist[:attributes][:all].delete('name')
+        whitelist[:attributes]['a'].push('name')
 
         # Allow any protocol in `a` elements...
         whitelist[:protocols].delete('a')

spec/lib/banzai/filter/sanitization_filter_spec.rb

@@ -47,9 +47,11 @@ describe Banzai::Filter::SanitizationFilter do
   describe 'custom whitelist' do
     it 'customizes the whitelist only once' do
       instance = described_class.new('Foo')
+      control_count = instance.whitelist[:transformers].size
+
       3.times { instance.whitelist }
 
-      expect(instance.whitelist[:transformers].size).to eq 5
+      expect(instance.whitelist[:transformers].size).to eq control_count
     end
 
     it 'sanitizes `class` attribute from all elements' do
@@ -101,16 +103,18 @@ describe Banzai::Filter::SanitizationFilter do
       expect(filter(act).to_html).to eq exp
     end
 
-    it 'disallows the `name` attribute globally' do
+    it 'disallows the `name` attribute globally, allows on `a`' do
       html = <<~HTML
         <img name="getElementById" src="">
         <span name="foo" class="bar">Hi</span>
+        <a name="foo" class="bar">Bye</a>
       HTML
 
       doc = filter(html)
 
       expect(doc.at_css('img')).not_to have_attribute('name')
       expect(doc.at_css('span')).not_to have_attribute('name')
+      expect(doc.at_css('a')).to have_attribute('name')
     end
 
     it 'allows `summary` elements' do