diff options
| author | Christian Walther <cwalther@gmx.ch> | 2015-02-21 22:12:13 +0100 |
|---|---|---|
| committer | Christian Walther <cwalther@gmx.ch> | 2015-03-16 22:05:52 +0100 |
| commit | 90aa870c3607c170091b6034c0150f119697b0b9 (patch) | |
| tree | 471bf470ce926c33557110a37f9ee5036df20af0 | |
| parent | 71e146999c405ab301cd3c3e3aa03b89d46c461e (diff) | |
| download | gitlab-ce-90aa870c3607c170091b6034c0150f119697b0b9.tar.gz | |
Fix invalid Atom feeds when using emoji, horizontal rules, or images.
Fixes issues #880, #723, #1113: Markdown must be rendered to XHTML, not HTML, when generating summary content for Atom feeds. Otherwise, content-less tags like <img> and <hr>, generated when issue descriptions, merge request descriptions, comments, or commit messages use emoji, horizontal rules, or images, are not terminated and make the Atom XML invalid.
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | app/views/events/_event_issue.atom.haml | 2 | ||||
| -rw-r--r-- | app/views/events/_event_merge_request.atom.haml | 2 | ||||
| -rw-r--r-- | app/views/events/_event_note.atom.haml | 2 | ||||
| -rw-r--r-- | app/views/events/_event_push.atom.haml | 2 | ||||
| -rw-r--r-- | lib/gitlab/markdown.rb | 30 | ||||
| -rw-r--r-- | lib/redcarpet/render/gitlab_html.rb | 6 | ||||
| -rw-r--r-- | spec/features/atom/users_spec.rb | 27 |
8 files changed, 53 insertions, 19 deletions
diff --git a/CHANGELOG b/CHANGELOG index c4b5a847e12..92aadc05849 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ v 7.9.0 (unreleased) - Move labels/milestones tabs to sidebar - Improve UI for commits, issues and merge request lists - Fix commit comments on first line of diff not rendering in Merge Request Discussion view. + - Fix invalid Atom feeds when using emoji, horizontal rules, or images (Christian Walther) v 7.8.0 (unreleased) - Fix access control and protection against XSS for note attachments and other uploads. diff --git a/app/views/events/_event_issue.atom.haml b/app/views/events/_event_issue.atom.haml index eba2b63797a..0edb61ea246 100644 --- a/app/views/events/_event_issue.atom.haml +++ b/app/views/events/_event_issue.atom.haml @@ -1,3 +1,3 @@ %div{xmlns: "http://www.w3.org/1999/xhtml"} - if issue.description.present? - = markdown issue.description + = markdown(issue.description, xhtml: true) diff --git a/app/views/events/_event_merge_request.atom.haml b/app/views/events/_event_merge_request.atom.haml index 0aea2d17d65..1a8b62abeab 100644 --- a/app/views/events/_event_merge_request.atom.haml +++ b/app/views/events/_event_merge_request.atom.haml @@ -1,3 +1,3 @@ %div{xmlns: "http://www.w3.org/1999/xhtml"} - if merge_request.description.present? - = markdown merge_request.description + = markdown(merge_request.description, xhtml: true) diff --git a/app/views/events/_event_note.atom.haml b/app/views/events/_event_note.atom.haml index be0e05481ed..b49c331ccf2 100644 --- a/app/views/events/_event_note.atom.haml +++ b/app/views/events/_event_note.atom.haml @@ -1,2 +1,2 @@ %div{xmlns: "http://www.w3.org/1999/xhtml"} - = markdown note.note + = markdown(note.note, xhtml: true) diff --git a/app/views/events/_event_push.atom.haml b/app/views/events/_event_push.atom.haml index 2b63519edac..2fb9f7ec246 100644 --- a/app/views/events/_event_push.atom.haml +++ b/app/views/events/_event_push.atom.haml @@ -6,7 +6,7 @@ %i at = commit[:timestamp].to_time.to_s(:short) - %blockquote= markdown(escape_once(commit[:message])) + %blockquote= markdown(escape_once(commit[:message]), xhtml: true) - if event.commits_count > 15 %p %i diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb index fb0218a2778..dceb2bc71f1 100644 --- a/lib/gitlab/markdown.rb +++ b/lib/gitlab/markdown.rb @@ -33,17 +33,23 @@ module Gitlab attr_reader :html_options - def gfm_with_tasks(text, project = @project, html_options = {}) - text = gfm(text, project, html_options) - parse_tasks(text) + # Public: Parse the provided text with GitLab-Flavored Markdown + # + # text - the source text + # project - extra options for the reference links as given to link_to + # html_options - extra options for the reference links as given to link_to + def gfm(text, project = @project, html_options = {}) + gfm_with_options(text, {}, project, html_options) end # Public: Parse the provided text with GitLab-Flavored Markdown # # text - the source text + # options - parse_tasks: true - render tasks + # - xhtml: true - output XHTML instead of HTML # project - extra options for the reference links as given to link_to # html_options - extra options for the reference links as given to link_to - def gfm(text, project = @project, html_options = {}) + def gfm_with_options(text, options = {}, project = @project, html_options = {}) return text if text.nil? # Duplicate the string so we don't alter the original, then call to_str @@ -86,14 +92,22 @@ module Gitlab markdown_pipeline = HTML::Pipeline::Gitlab.new(filters).pipeline result = markdown_pipeline.call(text, markdown_context) - text = result[:output].to_html(save_with: 0) + saveoptions = 0 + if options[:xhtml] + saveoptions |= Nokogiri::XML::Node::SaveOptions::AS_XHTML + end + text = result[:output].to_html(save_with: saveoptions) allowed_attributes = ActionView::Base.sanitized_allowed_attributes allowed_tags = ActionView::Base.sanitized_allowed_tags - sanitize text.html_safe, - attributes: allowed_attributes + %w(id class style), - tags: allowed_tags + %w(table tr td th) + text = sanitize text.html_safe, + attributes: allowed_attributes + %w(id class style), + tags: allowed_tags + %w(table tr td th) + if options[:parse_tasks] + text = parse_tasks(text) + end + text end private diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb index 714261f815c..8b0c193f3db 100644 --- a/lib/redcarpet/render/gitlab_html.rb +++ b/lib/redcarpet/render/gitlab_html.rb @@ -58,10 +58,6 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML unless @template.instance_variable_get("@project_wiki") || @project.nil? full_document = h.create_relative_links(full_document) end - if @options[:parse_tasks] - h.gfm_with_tasks(full_document) - else - h.gfm(full_document) - end + h.gfm_with_options(full_document, @options) end end diff --git a/spec/features/atom/users_spec.rb b/spec/features/atom/users_spec.rb index c0316b073ad..770ac04c2c5 100644 --- a/spec/features/atom/users_spec.rb +++ b/spec/features/atom/users_spec.rb @@ -15,17 +15,24 @@ describe "User Feed", feature: true do let(:project) { create(:project) } let(:issue) do create(:issue, project: project, - author: user, description: '') + author: user, description: "Houston, we have a bug!\n\n***\n\nI guess.") end let(:note) do create(:note, noteable: issue, author: user, - note: 'Bug confirmed', project: project) + note: 'Bug confirmed :+1:', project: project) + end + let(:merge_request) do + create(:merge_request, + title: 'Fix bug', author: user, + source_project: project, target_project: project, + description: "Here is the fix: ") end before do project.team << [user, :master] issue_event(issue, user) note_event(note, user) + merge_request_event(merge_request, user) visit user_path(user, :atom, private_token: user.private_token) end @@ -37,6 +44,18 @@ describe "User Feed", feature: true do expect(body). to have_content("#{safe_name} commented on issue ##{issue.iid}") end + + it 'should have XHTML summaries in issue descriptions' do + expect(body).to match /we have a bug!<\/p>\n\n<hr ?\/>\n\n<p>I guess/ + end + + it 'should have XHTML summaries in notes' do + expect(body).to match /Bug confirmed <img[^>]*\/>/ + end + + it 'should have XHTML summaries in merge request descriptions' do + expect(body).to match /Here is the fix: <img[^>]*\/>/ + end end end @@ -48,6 +67,10 @@ describe "User Feed", feature: true do EventCreateService.new.leave_note(note, user) end + def merge_request_event(request, user) + EventCreateService.new.open_mr(request, user) + end + def safe_name html_escape(user.name) end |