0007-CommonMark-update-Sanitize.patch

Update Sanitize & avoid deprecated keywords - Martin Cizek, 2021-04-17 20:23

Download (3.72 KB)

View differences:

Gemfile
48 48

  
49 49
# Optional CommonMark support, not for JRuby
50 50
group :common_mark do
51
  gem "html-pipeline", "~> 2.12"
52
  gem "commonmarker", "~> 0.20"
53
  gem "sanitize", "~> 5.1"
51
  gem "html-pipeline", "~> 2.13.2"
52
  gem "commonmarker", "~> 0.21"
53
  gem "sanitize", "~> 5.2"
54 54
end
55 55

  
56 56
# Include database gems for the adapters found in the database
lib/redmine/wiki_formatting/common_mark/sanitization_filter.rb
30 30
          "a" => %w(href).freeze,
31 31
        }.freeze
32 32

  
33
        def whitelist
34
          @@whitelist ||= customize_whitelist(super.deep_dup)
33
        def allowlist
34
          @@allowlist ||= customize_allowlist(super.deep_dup)
35 35
        end
36 36

  
37 37
        private
38 38

  
39
        # customizes the whitelist defined in
39
        # customizes the allowlist defined in
40 40
        # https://github.com/jch/html-pipeline/blob/master/lib/html/pipeline/sanitization_filter.rb
41
        def customize_whitelist(whitelist)
41
        def customize_allowlist(allowlist)
42 42
          # Disallow `name` attribute globally, allow on `a`
43
          whitelist[:attributes][:all].delete("name")
44
          whitelist[:attributes]["a"].push("name")
43
          allowlist[:attributes][:all].delete("name")
44
          allowlist[:attributes]["a"].push("name")
45 45

  
46 46
          # allow class on code tags (this holds the language info from fenced
47 47
          # code bocks and has the format language-foo)
48
          whitelist[:attributes]["code"] = %w(class)
49
          whitelist[:transformers].push lambda{|env|
48
          allowlist[:attributes]["code"] = %w(class)
49
          allowlist[:transformers].push lambda{|env|
50 50
            node = env[:node]
51 51
            return unless node.name == "code"
52 52
            return unless node.has_attribute?("class")
......
61 61
          # commonmarker option (which we do not, currently).
62 62
          # By default, the align attribute is used (which is allowed on all
63 63
          # elements).
64
          # whitelist[:attributes]["th"] = %w(style)
65
          # whitelist[:attributes]["td"] = %w(style)
66
          # whitelist[:css] = { properties: ["text-align"] }
64
          # allowlist[:attributes]["th"] = %w(style)
65
          # allowlist[:attributes]["td"] = %w(style)
66
          # allowlist[:css] = { properties: ["text-align"] }
67 67

  
68 68
          # Allow `id` in a and li elements for footnotes
69 69
          # and remove any `id` properties not matching for footnotes
70
          whitelist[:attributes]["a"].push "id"
71
          whitelist[:attributes]["li"] = %w(id)
72
          whitelist[:transformers].push lambda{|env|
70
          allowlist[:attributes]["a"].push "id"
71
          allowlist[:attributes]["li"] = %w(id)
72
          allowlist[:transformers].push lambda{|env|
73 73
            node = env[:node]
74 74
            return unless node.name == "a" || node.name == "li"
75 75
            return unless node.has_attribute?("id")
......
79 79
          }
80 80

  
81 81
          # https://github.com/rgrove/sanitize/issues/209
82
          whitelist[:protocols].delete("a")
83
          whitelist[:transformers].push lambda{|env|
82
          allowlist[:protocols].delete("a")
83
          allowlist[:transformers].push lambda{|env|
84 84
            node = env[:node]
85 85
            return if node.type != Nokogiri::XML::Node::ELEMENT_NODE
86 86
            name = env[:node_name]
......
94 94
            end
95 95
          }
96 96

  
97
          whitelist
97
          allowlist
98 98
        end
99 99
      end
100 100