Class: Banzai::Filter::SanitizationFilter

Inherits:
BaseSanitizationFilter show all
Defined in:
lib/banzai/filter/sanitization_filter.rb

Overview

Sanitize HTML produced by Markdown.

Extends Banzai::Filter::BaseSanitizationFilter with specific rules.

Constant Summary collapse

TABLE_ALIGNMENT_PATTERN =

Styles used by Markdown for table alignment

/text-align: (?<alignment>center|left|right)/

Constants inherited from BaseSanitizationFilter

BaseSanitizationFilter::UNSAFE_PROTOCOLS

Constants included from Gitlab::Utils::SanitizeNodeLink

Gitlab::Utils::SanitizeNodeLink::ATTRS_TO_SANITIZE, Gitlab::Utils::SanitizeNodeLink::UNSAFE_PROTOCOLS

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from BaseSanitizationFilter

#allowlist, remove_rel

Methods included from Gitlab::Utils::SanitizeNodeLink

#remove_unsafe_links, #safe_protocol?, #sanitize_unsafe_links

Class Method Details

.remove_non_footnote_idsObject 



58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/banzai/filter/sanitization_filter.rb', line 58

def remove_non_footnote_ids
  lambda do |env|
    node = env[:node]

    return unless node.name == 'a' || node.name == 'li'
    return unless node.has_attribute?('id')

    return if node.name == 'a' && node['id'] =~ Banzai::Filter::FootnoteFilter::FOOTNOTE_LINK_REFERENCE_PATTERN
    return if node.name == 'li' && node['id'] =~ Banzai::Filter::FootnoteFilter::FOOTNOTE_LI_REFERENCE_PATTERN

    node.remove_attribute('id')
  end
end

.remove_unsafe_table_styleObject 



43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/banzai/filter/sanitization_filter.rb', line 43

def remove_unsafe_table_style
  lambda do |env|
    node = env[:node]

    return unless node.name == 'th' || node.name == 'td'
    return unless node.has_attribute?('style')

    if node['style'] =~ TABLE_ALIGNMENT_PATTERN
      node['style'] = "text-align: #{$~[:alignment]}"
    else
      node.remove_attribute('style')
    end
  end
end

Instance Method Details

#customize_allowlist(allowlist) ⇒ Object 



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'lib/banzai/filter/sanitization_filter.rb', line 12

def customize_allowlist(allowlist)
  allowlist[:allow_comments] = context[:allow_comments]

  # Allow table alignment; we allow specific text-align values in a
  # transformer below
  allowlist[:attributes]['th'] = %w[style]
  allowlist[:attributes]['td'] = %w[style]
  allowlist[:css] = { properties: ['text-align'] }

  # Allow the 'data-sourcepos' from CommonMark on all elements
  allowlist[:attributes][:all].push('data-sourcepos')
  allowlist[:attributes][:all].push('data-escaped-char')

  # Remove any `style` properties not required for table alignment
  allowlist[:transformers].push(self.class.remove_unsafe_table_style)

  # Allow `id` in a and li elements for footnotes
  # and remove any `id` properties not matching for footnotes
  allowlist[:attributes]['a'].push('id')
  allowlist[:attributes]['li'] = %w[id]
  allowlist[:transformers].push(self.class.remove_non_footnote_ids)

  # Allow section elements with data-footnotes attribute
  allowlist[:elements].push('section')
  allowlist[:attributes]['section'] = %w[data-footnotes]
  allowlist[:attributes]['a'].push('data-footnote-ref', 'data-footnote-backref', 'data-footnote-backref-idx')

  allowlist
end