From ffb107ac7d8ba17ecd4d10ef1d8a94d5c62630b2 Mon Sep 17 00:00:00 2001
From: Oswaldo Ferreira <oswaldo@gitlab.com>
Date: Mon, 26 Feb 2018 12:28:49 -0300
Subject: Keep link when redacting unauthorized object links

---
 lib/banzai/redactor.rb | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

(limited to 'lib/banzai/redactor.rb')

diff --git a/lib/banzai/redactor.rb b/lib/banzai/redactor.rb
index 827df7c08ae..fd457bebf03 100644
--- a/lib/banzai/redactor.rb
+++ b/lib/banzai/redactor.rb
@@ -42,16 +42,33 @@ module Banzai
           next if visible.include?(node)
 
           doc_data[:visible_reference_count] -= 1
-          # The reference should be replaced by the original link's content,
-          # which is not always the same as the rendered one.
-          content = node.attr('data-original') || node.inner_html
-          node.replace(content)
+          redacted_content = redacted_node_content(node)
+          node.replace(redacted_content)
         end
       end
 
       metadata
     end
 
+    # Return redacted content of given node as either the original link (<a> tag),
+    # the original content (text), or the inner HTML of the node.
+    #
+    def redacted_node_content(node)
+      original_content = node.attr('data-original')
+      link_reference = node.attr('data-link-reference')
+
+      # Build the raw <a> tag just with a link as href and content if
+      # it's originally a link pattern. We shouldn't return a plain text href.
+      original_link =
+        if link_reference == 'true' && href = original_content
+          %(<a href="#{href}">#{href}</a>)
+        end
+
+      # The reference should be replaced by the original link's content,
+      # which is not always the same as the rendered one.
+      original_link || original_content || node.inner_html
+    end
+
     def redact_cross_project_references(documents)
       extractor = Banzai::IssuableExtractor.new(project, user)
       issuables = extractor.extract(documents)
-- 
cgit v1.2.1