diff options
author | Robert Speicher <rspeicher@gmail.com> | 2018-07-04 00:50:48 +0300 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2018-07-04 00:54:35 +0300 |
commit | d699362a0931427354a40246b72747837ad85fcb (patch) | |
tree | 76c643a589421d9dcb2e73cdfc5f8a5b438a47de | |
parent | 89bffe083d35a39e67d03ebd9a8e0c7bf0ca7bde (diff) |
Use strong_memoize to customize the SanitizationFilter whitelist
I never liked the hacky `customized?` method anyway, so this is cleaner.
-rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 17 |
1 files changed, 5 insertions, 12 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 4110163d3bd..8275bb9e149 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -4,27 +4,20 @@ module Banzai # # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter + include Gitlab::Utils::StrongMemoize + UNSAFE_PROTOCOLS = %w(data javascript vbscript).freeze TABLE_ALIGNMENT_PATTERN = /text-align: (?<alignment>center|left|right)/ def whitelist - whitelist = super.dup - - customize_whitelist(whitelist) - - whitelist + strong_memoize(:whitelist) do + customize_whitelist(super.dup) + end end private - def customized?(transformers) - transformers.last.source_location[0] == __FILE__ - end - def customize_whitelist(whitelist) - # Only push these customizations once - return if customized?(whitelist[:transformers]) - # Allow table alignment; we whitelist specific text-align values in a # transformer below whitelist[:attributes]['th'] = %w(style) |