diff options
Diffstat (limited to 'app')
| -rw-r--r-- | app/helpers/blob_helper.rb | 12 | ||||
| -rw-r--r-- | app/views/projects/blob/_blob.html.haml | 5 |
2 files changed, 16 insertions, 1 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index 694c03206bd..16967927922 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -126,4 +126,16 @@ module BlobHelper blob.size end end + + def blob_svg?(blob) + blob.language && blob.language.name == 'SVG' + end + + # SVGs can contain malicious JavaScript; only include whitelisted + # elements and attributes. Note that this whitelist is by no means complete + # and may omit some elements. + def sanitize_svg(blob) + blob.data = Loofah.scrub_fragment(blob.data, :strip).to_xml + blob + end end diff --git a/app/views/projects/blob/_blob.html.haml b/app/views/projects/blob/_blob.html.haml index 3d8d88834e2..2c5b8dc4356 100644 --- a/app/views/projects/blob/_blob.html.haml +++ b/app/views/projects/blob/_blob.html.haml @@ -35,7 +35,10 @@ - if blob.lfs_pointer? = render "download", blob: blob - elsif blob.text? - = render "text", blob: blob + - if blob_svg?(blob) + = render "image", blob: sanitize_svg(blob) + - else + = render "text", blob: blob - elsif blob.image? = render "image", blob: blob - else |