Module: Gitlab::Utils::SanitizeNodeLink

Included in:
Banzai::Filter::AutolinkFilter, Banzai::Filter::BaseSanitizationFilter, Banzai::Filter::WikiLinkFilter
Defined in:
lib/gitlab/utils/sanitize_node_link.rb

Constant Summary collapse

UNSAFE_PROTOCOLS =
%w(data javascript vbscript).freeze
ATTRS_TO_SANITIZE =
%w(href src data-src).freeze

Instance Method Summary collapse

Instance Method Details


11
12
13
14
15
16
17
18
19
20
21
22
# File 'lib/gitlab/utils/sanitize_node_link.rb', line 11

def remove_unsafe_links(env, remove_invalid_links: true)
  node = env[:node]

  sanitize_node(node: node, remove_invalid_links: remove_invalid_links)

  # HTML entities such as <video></video> have scannable attrs in
  #   children elements, which also need to be sanitized.
  #
  node.children.each do |child_node|
    sanitize_node(node: child_node, remove_invalid_links: remove_invalid_links)
  end
end

#safe_protocol?(scheme) ⇒ Boolean

Remove all invalid scheme characters before checking against the list of unsafe protocols.

See tools.ietf.org/html/rfc3986#section-3.1

Returns:

  • (Boolean)

29
30
31
32
33
34
35
36
37
38
# File 'lib/gitlab/utils/sanitize_node_link.rb', line 29

def safe_protocol?(scheme)
  return false unless scheme

  scheme = scheme
    .strip
    .downcase
    .gsub(/[^A-Za-z\+\.\-]+/, '')

  UNSAFE_PROTOCOLS.none?(scheme)
end