Update SVG sanitizer to conform to SVG 1.1

Use a custom Loofah scrubber since sanitize 2.x transformers are inadequate to handle case-sensitive SVG attributes. sanitize parses documents as HTML instead of XML, which causes all SVG attribute names (e.g. viewBox) to be downcased. * SVG element list: https://www.w3.org/TR/SVG/eltindex.html * SVG attribute list: https://www.w3.org/TR/SVG/attindex.html Closes #14555
author: Stan Hu <stanhu@gmail.com> 2016-03-24 22:39:58 -0700
committer: Stan Hu <stanhu@gmail.com> 2016-05-06 23:20:24 -0700
commit: 21d89d0286e385d6d0a4debdbf7c801939c3e279 (patch)
tree: b1b0190c153ae9bccb552f60a4dbf4e80edd56e0 /spec/helpers
parent: 2e1162272e2f90a3677f3def491907729b249434 (diff)
download: gitlab-ce-21d89d0286e385d6d0a4debdbf7c801939c3e279.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/helpers/blob_helper_spec.rb b/spec/helpers/blob_helper_spec.rb
index 87849230dbe..6d1c02db297 100644
--- a/spec/helpers/blob_helper_spec.rb
+++ b/spec/helpers/blob_helper_spec.rb
@@ -67,4 +67,16 @@ describe BlobHelper do
       expect(result).to eq(expected)
     end
   end
+
+  describe "#sanitize_svg" do
+    let(:input_svg_path) { File.join(Rails.root, 'spec', 'fixtures', 'unsanitized.svg') }
+    let(:data) { open(input_svg_path).read }
+    let(:expected_svg_path) { File.join(Rails.root, 'spec', 'fixtures', 'sanitized.svg') }
+    let(:expected) { open(expected_svg_path).read }
+
+    it 'should retain essential elements' do
+      blob = OpenStruct.new(data: data)
+      expect(sanitize_svg(blob).data).to eq(expected)
+    end
+  end
 end
author	Stan Hu <stanhu@gmail.com>	2016-03-24 22:39:58 -0700
committer	Stan Hu <stanhu@gmail.com>	2016-05-06 23:20:24 -0700
commit	21d89d0286e385d6d0a4debdbf7c801939c3e279 (patch)
tree	b1b0190c153ae9bccb552f60a4dbf4e80edd56e0 /spec/helpers
parent	2e1162272e2f90a3677f3def491907729b249434 (diff)
download	gitlab-ce-21d89d0286e385d6d0a4debdbf7c801939c3e279.tar.gz