Class: Banzai::Filter::BaseSanitizationFilter
- Inherits:
-
HTML::Pipeline::SanitizationFilter
- Object
- HTML::Pipeline::SanitizationFilter
- Banzai::Filter::BaseSanitizationFilter
- Extended by:
- Gitlab::Utils::SanitizeNodeLink
- Includes:
- Gitlab::Utils::StrongMemoize
- Defined in:
- lib/banzai/filter/base_sanitization_filter.rb
Overview
Sanitize HTML produced by markup languages (Markdown, AsciiDoc…). Specific rules are implemented in dedicated filters:
-
Banzai::Filter::SanitizationFilter (Markdown)
-
Banzai::Filter::AsciiDocSanitizationFilter (AsciiDoc/Asciidoctor)
-
Banzai::Filter::BroadcastMessageSanitizationFilter (Markdown with styled links and line breaks)
Extends HTML::Pipeline::SanitizationFilter with common rules.
Direct Known Subclasses
AsciiDocSanitizationFilter, BroadcastMessageSanitizationFilter, SanitizationFilter
Constant Summary collapse
- UNSAFE_PROTOCOLS =
%w[data javascript vbscript].freeze
Constants included from Gitlab::Utils::SanitizeNodeLink
Gitlab::Utils::SanitizeNodeLink::ATTRS_TO_SANITIZE
Class Method Summary collapse
Instance Method Summary collapse
Methods included from Gitlab::Utils::SanitizeNodeLink
remove_unsafe_links, safe_protocol?, sanitize_unsafe_links
Class Method Details
.remove_rel ⇒ Object
63 64 65 66 67 68 69 70 71 72 73 |
# File 'lib/banzai/filter/base_sanitization_filter.rb', line 63 def remove_rel lambda do |env| if env[:node_name] == 'a' # we allow rel="license" to support the Rel-license microformat # http://microformats.org/wiki/rel-license unless env[:node].attribute('rel')&.value == 'license' env[:node].remove_attribute('rel') end end end end |
Instance Method Details
#allowlist ⇒ Object
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# File 'lib/banzai/filter/base_sanitization_filter.rb', line 19 def allowlist strong_memoize(:allowlist) do allowlist = super.deep_dup # Allow span elements allowlist[:elements].push('span') # Allow data-math-style attribute in order to support LaTeX formatting allowlist[:attributes]['code'] = %w[data-math-style] allowlist[:attributes]['pre'] = %w[data-canonical-lang data-lang-params data-math-style data-mermaid-style data-kroki-style] # Allow html5 details/summary elements allowlist[:elements].push('details') allowlist[:elements].push('summary') # Allow abbr elements with title attribute allowlist[:elements].push('abbr') allowlist[:attributes]['abbr'] = %w[title] # Disallow `name` attribute globally, allow on `a` allowlist[:attributes][:all].delete('name') allowlist[:attributes]['a'].push('name') allowlist[:attributes]['img'].push('data-diagram') allowlist[:attributes]['img'].push('data-diagram-src') # Allow any protocol in `a` elements # and then remove links with unsafe protocols allowlist[:protocols].delete('a') allowlist[:transformers].push(self.class.method(:sanitize_unsafe_links)) # Remove `rel` attribute from `a` elements allowlist[:transformers].push(self.class.remove_rel) customize_allowlist(allowlist) end end |
#customize_allowlist(allowlist) ⇒ Object
58 59 60 |
# File 'lib/banzai/filter/base_sanitization_filter.rb', line 58 def customize_allowlist(allowlist) raise NotImplementedError end |