BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
a9eaa20d
Commit
a9eaa20d
authored
Jun 03, 2016
by
Gabriel Mazetto
Committed by
Robert Speicher
Jun 12, 2016
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactored SVG sanitizer
parent
388f6eaa
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
41 additions
and
24 deletions
+41
-24
svg.rb
lib/gitlab/sanitizers/svg.rb
+23
-24
svg_spec.rb
spec/lib/gitlab/sanitizers/svg_spec.rb
+18
-0
No files found.
lib/gitlab/sanitizers/svg.rb
View file @
a9eaa20d
...
...
@@ -10,30 +10,25 @@ module Gitlab
DATA_ATTR_PATTERN
=
/\Adata-(?!xml)[a-z_][\w.\u00E0-\u00F6\u00F8-\u017F\u01DD-\u02AF-]*\z/u
def
scrub
(
node
)
if
Whitelist
::
ALLOWED_ELEMENTS
.
include?
(
node
.
name
)
valid_attributes
=
Whitelist
::
ALLOWED_ATTRIBUTES
[
node
.
name
]
return
unless
valid_attributes
node
.
attribute_nodes
.
each
do
|
attr
|
attr_name
=
attribute_name_with_namespace
(
attr
)
if
valid_attributes
.
include?
(
attr_name
)
# xlink:href is on the whitelist but we should deny any reference other than internal ids
if
attr_name
==
'xlink:href'
&&
unsafe_href?
(
attr
)
attr
.
unlink
end
else
if
Whitelist
::
ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS
.
include?
(
node
.
name
)
&&
data_attribute?
(
attr
)
# Arbitrary data attributes are allowed. Verify that the attribute
# is a valid data attribute.
attr
.
unlink
unless
attr_name
=~
DATA_ATTR_PATTERN
else
attr
.
unlink
end
unless
Whitelist
::
ALLOWED_ELEMENTS
.
include?
(
node
.
name
)
node
.
unlink
return
end
valid_attributes
=
Whitelist
::
ALLOWED_ATTRIBUTES
[
node
.
name
]
return
unless
valid_attributes
node
.
attribute_nodes
.
each
do
|
attr
|
attr_name
=
attribute_name_with_namespace
(
attr
)
if
valid_attributes
.
include?
(
attr_name
)
attr
.
unlink
if
unsafe_href?
(
attr
)
else
# Arbitrary data attributes are allowed.
unless
allows_data_attribute?
(
node
)
&&
data_attribute?
(
attr
)
attr
.
unlink
end
end
else
node
.
unlink
end
end
...
...
@@ -45,12 +40,16 @@ module Gitlab
end
end
def
allows_data_attribute?
(
node
)
Whitelist
::
ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS
.
include?
(
node
.
name
)
end
def
unsafe_href?
(
attr
)
!
attr
.
value
.
start_with?
(
'#'
)
attribute_name_with_namespace
(
attr
)
==
'xlink:href'
&&
!
attr
.
value
.
start_with?
(
'#'
)
end
def
data_attribute?
(
attr
)
attr
.
name
.
start_with?
(
'data-'
)
attr
.
name
.
start_with?
(
'data-'
)
&&
attr
.
name
=~
DATA_ATTR_PATTERN
&&
attr
.
namespace
.
nil?
end
end
end
...
...
spec/lib/gitlab/sanitizers/svg_spec.rb
View file @
a9eaa20d
...
...
@@ -56,5 +56,23 @@ describe Gitlab::Sanitizers::SVG do
expect
(
scrubber
.
unsafe_href?
(
namespaced_attr
)).
to
be_falsey
end
end
describe
'#data_attribute?'
do
let
(
:data_attr
)
{
double
(
Nokogiri
::
XML
::
Attr
,
name:
'data-gitlab'
,
namespace:
nil
,
value:
'gitlab is awesome'
)
}
let
(
:namespaced_attr
)
{
double
(
Nokogiri
::
XML
::
Attr
,
name:
'data-gitlab'
,
namespace:
namespace
,
value:
'gitlab is awesome'
)
}
let
(
:other_attr
)
{
double
(
Nokogiri
::
XML
::
Attr
,
name:
'something'
,
namespace:
nil
,
value:
'content'
)
}
it
'returns true if is a valid data attribute'
do
expect
(
scrubber
.
data_attribute?
(
data_attr
)).
to
be_truthy
end
it
'returns false if attribute is namespaced'
do
expect
(
scrubber
.
data_attribute?
(
namespaced_attr
)).
to
be_falsey
end
it
'returns false if not a data attribute'
do
expect
(
scrubber
.
data_attribute?
(
other_attr
)).
to
be_falsey
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment