| 27 |
27 |
"a" => %w(href).freeze,
|
| 28 |
28 |
}.freeze
|
| 29 |
29 |
|
| 30 |
|
def whitelist
|
| 31 |
|
@@whitelist ||= customize_whitelist(super.deep_dup)
|
|
30 |
def allowlist
|
|
31 |
@@allowlist ||= customize_allowlist(super.deep_dup)
|
| 32 |
32 |
end
|
| 33 |
33 |
|
| 34 |
34 |
private
|
| 35 |
35 |
|
| 36 |
|
# customizes the whitelist defined in
|
|
36 |
# customizes the allowlist defined in
|
| 37 |
37 |
# https://github.com/jch/html-pipeline/blob/master/lib/html/pipeline/sanitization_filter.rb
|
| 38 |
|
def customize_whitelist(whitelist)
|
|
38 |
def customize_allowlist(allowlist)
|
| 39 |
39 |
# Disallow `name` attribute globally, allow on `a`
|
| 40 |
|
whitelist[:attributes][:all].delete("name")
|
| 41 |
|
whitelist[:attributes]["a"].push("name")
|
|
40 |
allowlist[:attributes][:all].delete("name")
|
|
41 |
allowlist[:attributes]["a"].push("name")
|
| 42 |
42 |
|
| 43 |
43 |
# allow class on code tags (this holds the language info from fenced
|
| 44 |
44 |
# code bocks and has the format language-foo)
|
| 45 |
|
whitelist[:attributes]["code"] = %w(class)
|
| 46 |
|
whitelist[:transformers].push lambda{|env|
|
|
45 |
allowlist[:attributes]["code"] = %w(class)
|
|
46 |
allowlist[:transformers].push lambda{|env|
|
| 47 |
47 |
node = env[:node]
|
| 48 |
48 |
return unless node.name == "code"
|
| 49 |
49 |
return unless node.has_attribute?("class")
|
| ... | ... | |
| 59 |
59 |
# commonmarker option (which we do not, currently).
|
| 60 |
60 |
# By default, the align attribute is used (which is allowed on all
|
| 61 |
61 |
# elements).
|
| 62 |
|
# whitelist[:attributes]["th"] = %w(style)
|
| 63 |
|
# whitelist[:attributes]["td"] = %w(style)
|
| 64 |
|
# whitelist[:css] = { properties: ["text-align"] }
|
|
62 |
# allowlist[:attributes]["th"] = %w(style)
|
|
63 |
# allowlist[:attributes]["td"] = %w(style)
|
|
64 |
# allowlist[:css] = { properties: ["text-align"] }
|
| 65 |
65 |
|
| 66 |
66 |
# Allow `id` in a and li elements for footnotes
|
| 67 |
67 |
# and remove any `id` properties not matching for footnotes
|
| 68 |
|
whitelist[:attributes]["a"].push "id"
|
| 69 |
|
whitelist[:attributes]["li"] = %w(id)
|
| 70 |
|
whitelist[:transformers].push lambda{|env|
|
|
68 |
allowlist[:attributes]["a"].push "id"
|
|
69 |
allowlist[:attributes]["li"] = %w(id)
|
|
70 |
allowlist[:transformers].push lambda{|env|
|
| 71 |
71 |
node = env[:node]
|
| 72 |
72 |
return unless node.name == "a" || node.name == "li"
|
| 73 |
73 |
return unless node.has_attribute?("id")
|
| ... | ... | |
| 78 |
78 |
}
|
| 79 |
79 |
|
| 80 |
80 |
# https://github.com/rgrove/sanitize/issues/209
|
| 81 |
|
whitelist[:protocols].delete("a")
|
| 82 |
|
whitelist[:transformers].push lambda{|env|
|
|
81 |
allowlist[:protocols].delete("a")
|
|
82 |
allowlist[:transformers].push lambda{|env|
|
| 83 |
83 |
node = env[:node]
|
| 84 |
84 |
return if node.type != Nokogiri::XML::Node::ELEMENT_NODE
|
| 85 |
85 |
|
| ... | ... | |
| 96 |
96 |
end
|
| 97 |
97 |
}
|
| 98 |
98 |
|
| 99 |
|
whitelist
|
|
99 |
allowlist
|
| 100 |
100 |
end
|
| 101 |
101 |
end
|
| 102 |
102 |
end
|
