Class: Banzai::Filter::SanitizationFilter

Inherits:

BaseSanitizationFilter

• Object
• HTML::Pipeline::SanitizationFilter
• BaseSanitizationFilter
• Banzai::Filter::SanitizationFilter

Defined in:

lib/banzai/filter/sanitization_filter.rb

Overview

Sanitize HTML produced by Markdown.

Extends Banzai::Filter::BaseSanitizationFilter with specific rules.

Constant Summary

TABLE_ALIGNMENT_PATTERN =

Styles used by Markdown for table alignment

/text-align: (?<alignment>center|left|right)/

ALLOWED_IDIFF_CLASSES =

%w[idiff left right deletion addition].freeze

HEADER_NODE_NAMES =

%w[h1 h2 h3 h4 h5 h6].freeze

Constants inherited from BaseSanitizationFilter

BaseSanitizationFilter::UNSAFE_PROTOCOLS

Constants included from Gitlab::Utils::SanitizeNodeLink

Gitlab::Utils::SanitizeNodeLink::ATTRS_TO_SANITIZE, Gitlab::Utils::SanitizeNodeLink::UNSAFE_PROTOCOLS

Constants included from Concerns::TimeoutFilterHandler

Concerns::TimeoutFilterHandler::COMPLEX_MARKDOWN_MESSAGE, Concerns::TimeoutFilterHandler::RENDER_TIMEOUT, Concerns::TimeoutFilterHandler::SANITIZATION_RENDER_TIMEOUT

Class Method Summary

• .remove_code_class?(node) ⇒ Boolean
• .remove_div_class?(node) ⇒ Boolean
• .remove_id_attributes(env) ⇒ Object
• .remove_input_class?(node) ⇒ Boolean
• .remove_li_class?(node) ⇒ Boolean
• .remove_link_class?(node) ⇒ Boolean
• .remove_non_tasklist_inputs(env) ⇒ Object
• .remove_p_class?(node) ⇒ Boolean
• .remove_span_class?(node) ⇒ Boolean
• .remove_ul_ol_class?(node) ⇒ Boolean
• .remove_unsafe_classes(env) ⇒ Object

  rubocop:disable Metrics/CyclomaticComplexity – dispatch method.

• .remove_unsafe_table_style(env) ⇒ Object

Instance Method Summary

• #customize_allowlist(allowlist) ⇒ Object

Methods inherited from BaseSanitizationFilter

#allowlist, #call, remove_rel

Methods included from Gitlab::Utils::SanitizeNodeLink

#permit_url?, #remove_unsafe_links, #safe_protocol?, #sanitize_unsafe_links

Methods included from Concerns::TimeoutFilterHandler

#call

Class Method Details

.remove_code_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 154

def remove_code_class?(node)
  node['class'] != 'idiff'
end

.remove_div_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 136

def remove_div_class?(node)
  node['class'] != 'markdown-alert markdown-alert-note' &&
    node['class'] != 'markdown-alert markdown-alert-tip' &&
    node['class'] != 'markdown-alert markdown-alert-important' &&
    node['class'] != 'markdown-alert markdown-alert-warning' &&
    node['class'] != 'markdown-alert markdown-alert-caution'
end

.remove_id_attributes(env) ⇒ Object

# File 'lib/banzai/filter/sanitization_filter.rb', line 171

def remove_id_attributes(env)
  node = env[:node]
  return unless node.has_attribute?('id')

  id = node['id']

  case node.name
  when 'a'
    # footnote ids should not be removed
    return if id.start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_LINK_ID_PREFIX)
  when 'li'
    # footnote ids should not be removed
    return if id.start_with?(Banzai::Filter::FootnoteFilter::FOOTNOTE_ID_PREFIX)
  when *HEADER_NODE_NAMES
    # headers with generated header anchors should not be removed
    return if id.start_with?(Banzai::Renderer::USER_CONTENT_ID_PREFIX)
  else
    return
  end

  node.remove_attribute('id')
end

.remove_input_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 167

def remove_input_class?(node)
  node['class'] != 'task-list-item-checkbox'
end

.remove_li_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 162

def remove_li_class?(node)
  node['class'] != 'task-list-item' &&
    node['class'] != 'inapplicable task-list-item'
end

.remove_link_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 132

def remove_link_class?(node)
  node['class'] != 'anchor'
end

.remove_non_tasklist_inputs(env) ⇒ Object

# File 'lib/banzai/filter/sanitization_filter.rb', line 194

def remove_non_tasklist_inputs(env)
  node = env[:node]

  return unless node.name == 'input'

  return if node['type'] == 'checkbox' && node['class'] == 'task-list-item-checkbox' && node.parent.name == 'li'

  node.remove
end

.remove_p_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 144

def remove_p_class?(node)
  node['class'] != 'markdown-alert-title'
end

.remove_span_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 148

def remove_span_class?(node)
  return true unless node['class'].include?('idiff')

  (node['class'].split - ALLOWED_IDIFF_CLASSES).present?
end

.remove_ul_ol_class?(node) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/banzai/filter/sanitization_filter.rb', line 158

def remove_ul_ol_class?(node)
  node['class'] != 'task-list'
end

.remove_unsafe_classes(env) ⇒ Object

rubocop:disable Metrics/CyclomaticComplexity – dispatch method.

# File 'lib/banzai/filter/sanitization_filter.rb', line 107

def remove_unsafe_classes(env) # rubocop:disable Metrics/CyclomaticComplexity -- dispatch method.
  node = env[:node]

  return unless node.has_attribute?('class')

  case node.name
  when 'a'
    node.remove_attribute('class') if remove_link_class?(node)
  when 'div'
    node.remove_attribute('class') if remove_div_class?(node)
  when 'p'
    node.remove_attribute('class') if remove_p_class?(node)
  when 'span'
    node.remove_attribute('class') if remove_span_class?(node)
  when 'code'
    node.remove_attribute('class') if remove_code_class?(node)
  when 'ul', 'ol'
    node.remove_attribute('class') if remove_ul_ol_class?(node)
  when 'li'
    node.remove_attribute('class') if remove_li_class?(node)
  when 'input'
    node.remove_attribute('class') if remove_input_class?(node)
  end
end

.remove_unsafe_table_style(env) ⇒ Object

# File 'lib/banzai/filter/sanitization_filter.rb', line 94

def remove_unsafe_table_style(env)
  node = env[:node]

  return unless node.name == 'th' || node.name == 'td'
  return unless node.has_attribute?('style')

  if node['style'] =~ TABLE_ALIGNMENT_PATTERN
    node['style'] = "text-align: #{$~[:alignment]}"
  else
    node.remove_attribute('style')
  end
end

Instance Method Details

#customize_allowlist(allowlist) ⇒ Object

# File 'lib/banzai/filter/sanitization_filter.rb', line 14

def customize_allowlist(allowlist)
  allowlist[:allow_comments] = context[:allow_comments]

  allow_table_alignment(allowlist)
  allow_json_table_attributes(allowlist)
  allow_sourcepos_and_escaped_char(allowlist)
  allow_id_attributes(allowlist)
  allow_class_attributes(allowlist)
  allow_section_footnotes(allowlist)
  allow_anchor_data_heading_content(allowlist)
  allow_tasklists(allowlist)

  allowlist
end