Class: Banzai::Filter::SanitizationFilter

Inherits:
BaseSanitizationFilter show all
Defined in:
lib/banzai/filter/sanitization_filter.rb

Overview

Sanitize HTML produced by Markdown.

Extends Banzai::Filter::BaseSanitizationFilter with specific rules.

Constant Summary collapse

TABLE_ALIGNMENT_PATTERN =

Styles used by Markdown for table alignment

/text-align: (?<alignment>center|left|right)/.freeze

Constants inherited from BaseSanitizationFilter

BaseSanitizationFilter::UNSAFE_PROTOCOLS

Constants included from Gitlab::Utils::SanitizeNodeLink

Gitlab::Utils::SanitizeNodeLink::ATTRS_TO_SANITIZE, Gitlab::Utils::SanitizeNodeLink::UNSAFE_PROTOCOLS

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from BaseSanitizationFilter

remove_rel, #whitelist

Methods included from Gitlab::Utils::SanitizeNodeLink

#remove_unsafe_links, #safe_protocol?

Methods included from Gitlab::Utils::StrongMemoize

#clear_memoization, #strong_memoize, #strong_memoized?

Class Method Details

.remove_non_footnote_idsObject


50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/banzai/filter/sanitization_filter.rb', line 50

def remove_non_footnote_ids
  lambda do |env|
    node = env[:node]

    return unless node.name == 'a' || node.name == 'li'
    return unless node.has_attribute?('id')

    return if node.name == 'a' && node['id'] =~ Banzai::Filter::FootnoteFilter::FOOTNOTE_LINK_REFERENCE_PATTERN
    return if node.name == 'li' && node['id'] =~ Banzai::Filter::FootnoteFilter::FOOTNOTE_LI_REFERENCE_PATTERN

    node.remove_attribute('id')
  end
end

.remove_unsafe_table_styleObject


35
36
37
38
39
40
41
42
43
44
45
46
47
48
# File 'lib/banzai/filter/sanitization_filter.rb', line 35

def remove_unsafe_table_style
  lambda do |env|
    node = env[:node]

    return unless node.name == 'th' || node.name == 'td'
    return unless node.has_attribute?('style')

    if node['style'] =~ TABLE_ALIGNMENT_PATTERN
      node['style'] = "text-align: #{$~[:alignment]}"
    else
      node.remove_attribute('style')
    end
  end
end

Instance Method Details

#customize_whitelist(whitelist) ⇒ Object


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# File 'lib/banzai/filter/sanitization_filter.rb', line 12

def customize_whitelist(whitelist)
  # Allow table alignment; we whitelist specific text-align values in a
  # transformer below
  whitelist[:attributes]['th'] = %w(style)
  whitelist[:attributes]['td'] = %w(style)
  whitelist[:css] = { properties: ['text-align'] }

  # Allow the 'data-sourcepos' from CommonMark on all elements
  whitelist[:attributes][:all].push('data-sourcepos')

  # Remove any `style` properties not required for table alignment
  whitelist[:transformers].push(self.class.remove_unsafe_table_style)

  # Allow `id` in a and li elements for footnotes
  # and remove any `id` properties not matching for footnotes
  whitelist[:attributes]['a'].push('id')
  whitelist[:attributes]['li'] = %w(id)
  whitelist[:transformers].push(self.class.remove_non_footnote_ids)

  whitelist
end