Merge remote-tracking branch 'origin/master' into lazy-blobslazy-blobs

author: Jacob Vosmaer <contact@jacobvosmaer.nl> 2016-02-02 15:04:54 +0100
committer: Jacob Vosmaer <contact@jacobvosmaer.nl> 2016-02-02 15:04:54 +0100
commit: d3affe8bca5f5944c6819be1261cc4da7a2c9420 (patch)
tree: 047472310ccd89fb43a84101a6441917c461ebf1 /app/helpers
parent: e08aa3df905f09f1c964fb056cba922a1d6eaa85 (diff)
parent: 6cffcb05882b0d3c4a02f9acf21806e25ea09ec3 (diff)
download: gitlab-ce-lazy-blobs.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 694c03206bd..16967927922 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -126,4 +126,16 @@ module BlobHelper
       blob.size
     end
   end
+
+  def blob_svg?(blob)
+    blob.language && blob.language.name == 'SVG'
+  end
+
+  # SVGs can contain malicious JavaScript; only include whitelisted
+  # elements and attributes. Note that this whitelist is by no means complete
+  # and may omit some elements.
+  def sanitize_svg(blob)
+    blob.data = Loofah.scrub_fragment(blob.data, :strip).to_xml
+    blob
+  end
 end
author	Jacob Vosmaer <contact@jacobvosmaer.nl>	2016-02-02 15:04:54 +0100
committer	Jacob Vosmaer <contact@jacobvosmaer.nl>	2016-02-02 15:04:54 +0100
commit	d3affe8bca5f5944c6819be1261cc4da7a2c9420 (patch)
tree	047472310ccd89fb43a84101a6441917c461ebf1 /app/helpers
parent	e08aa3df905f09f1c964fb056cba922a1d6eaa85 (diff)
parent	6cffcb05882b0d3c4a02f9acf21806e25ea09ec3 (diff)
download	gitlab-ce-lazy-blobs.tar.gz