Module: Gitlab::Utils::SanitizeNodeLink

Included in:

Banzai::Filter::AutolinkFilter, Banzai::Filter::BaseSanitizationFilter, Banzai::Filter::WikiLinkFilter

Defined in:

lib/gitlab/utils/sanitize_node_link.rb

Constant Summary

UNSAFE_PROTOCOLS =

%w[data javascript vbscript].freeze

ATTRS_TO_SANITIZE =

%w[href src data-src data-canonical-src].freeze

Instance Method Summary

• #remove_unsafe_links(env, remove_invalid_links: true) ⇒ Object
• #safe_protocol?(scheme) ⇒ Boolean

  Remove all invalid scheme characters before checking against the list of unsafe protocols.

• #sanitize_unsafe_links(env) ⇒ Object

  sanitize 6.0 requires only a context argument.

Instance Method Details

#remove_unsafe_links(env, remove_invalid_links: true) ⇒ Object

# File 'lib/gitlab/utils/sanitize_node_link.rb', line 17

def remove_unsafe_links(env, remove_invalid_links: true)
  node = env[:node]

  sanitize_node(node: node, remove_invalid_links: remove_invalid_links)

  # HTML entities such as <video></video> have scannable attrs in
  #   children elements, which also need to be sanitized.
  #
  node.children.each do |child_node|
    sanitize_node(node: child_node, remove_invalid_links: remove_invalid_links)
  end
end

#safe_protocol?(scheme) ⇒ Boolean

Remove all invalid scheme characters before checking against the list of unsafe protocols.

See www.rfc-editor.org/rfc/rfc3986#section-3.1

Returns:

• (Boolean)

# File 'lib/gitlab/utils/sanitize_node_link.rb', line 35

def safe_protocol?(scheme)
  return false unless scheme

  scheme = scheme
    .strip
    .downcase
    .gsub(/[^A-Za-z\+\.\-]+/, '')

  UNSAFE_PROTOCOLS.none?(scheme)
end

#sanitize_unsafe_links(env) ⇒ Object

sanitize 6.0 requires only a context argument. Do not add any default arguments to this method.

# File 'lib/gitlab/utils/sanitize_node_link.rb', line 13

def sanitize_unsafe_links(env)
  remove_unsafe_links(env)
end