diff options
| author | Ahmad Sherif <me@ahmadsherif.com> | 2016-09-21 15:55:04 +0200 |
|---|---|---|
| committer | Ahmad Sherif <me@ahmadsherif.com> | 2016-09-23 15:29:28 +0200 |
| commit | ca823abacd85f3b78d4b0aeb3e07fdc7a39f090d (patch) | |
| tree | 6c1842084325cfd307e8c5d270f61732370d743f /lib | |
| parent | 0fe33f925a26c5004080a0102e6665fc8012a67d (diff) | |
| download | gitlab-ce-ca823abacd85f3b78d4b0aeb3e07fdc7a39f090d.tar.gz | |
Fix the leak mentioned in 504a3b5 by another way
The previous fix introduced another leak; as it made
Banzai::Filter::SanitizationFiler#customized? always return false, so we
were always appending two elements to
HTML::Pipeline::SanitizationFilter::WHITELIST[:elements]. This growth in
the elements array would slow the sanitization process over time.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 60 |
1 files changed, 31 insertions, 29 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index ca80aac5a08..2470362e019 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -43,55 +43,57 @@ module Banzai whitelist[:protocols].delete('a') # ...but then remove links with unsafe protocols - whitelist[:transformers].push(remove_unsafe_links) + whitelist[:transformers].push(self.class.remove_unsafe_links) # Remove `rel` attribute from `a` elements - whitelist[:transformers].push(remove_rel) + whitelist[:transformers].push(self.class.remove_rel) # Remove `class` attribute from non-highlight spans - whitelist[:transformers].push(clean_spans) + whitelist[:transformers].push(self.class.clean_spans) whitelist end - def remove_unsafe_links - lambda do |env| - node = env[:node] + class << self + def remove_unsafe_links + lambda do |env| + node = env[:node] - return unless node.name == 'a' - return unless node.has_attribute?('href') + return unless node.name == 'a' + return unless node.has_attribute?('href') - begin - uri = Addressable::URI.parse(node['href']) - uri.scheme = uri.scheme.strip.downcase if uri.scheme + begin + uri = Addressable::URI.parse(node['href']) + uri.scheme = uri.scheme.strip.downcase if uri.scheme - node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) - rescue Addressable::URI::InvalidURIError - node.remove_attribute('href') + node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) + rescue Addressable::URI::InvalidURIError + node.remove_attribute('href') + end end end - end - def remove_rel - lambda do |env| - if env[:node_name] == 'a' - env[:node].remove_attribute('rel') + def remove_rel + lambda do |env| + if env[:node_name] == 'a' + env[:node].remove_attribute('rel') + end end end - end - def clean_spans - lambda do |env| - node = env[:node] + def clean_spans + lambda do |env| + node = env[:node] - return unless node.name == 'span' - return unless node.has_attribute?('class') + return unless node.name == 'span' + return unless node.has_attribute?('class') - unless has_ancestor?(node, 'pre') - node.remove_attribute('class') - end + unless node.ancestors.any? { |n| n.name.casecmp('pre').zero? } + node.remove_attribute('class') + end - { node_whitelist: [node] } + { node_whitelist: [node] } + end end end end |