diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
commit | b76ae638462ab0f673e5915986070518dd3f9ad3 (patch) | |
tree | bdab0533383b52873be0ec0eb4d3c66598ff8b91 /app/assets/javascripts/lib | |
parent | 434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff) |
Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42
Diffstat (limited to 'app/assets/javascripts/lib')
-rw-r--r-- | app/assets/javascripts/lib/dompurify.js | 17 | ||||
-rw-r--r-- | app/assets/javascripts/lib/utils/common_utils.js | 25 | ||||
-rw-r--r-- | app/assets/javascripts/lib/utils/url_utility.js | 16 |
3 files changed, 30 insertions, 28 deletions
diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js index 4357918672d..a026f76e51b 100644 --- a/app/assets/javascripts/lib/dompurify.js +++ b/app/assets/javascripts/lib/dompurify.js @@ -1,14 +1,14 @@ import { sanitize as dompurifySanitize, addHook } from 'dompurify'; import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility'; -// Safely allow SVG <use> tags - const defaultConfig = { + // Safely allow SVG <use> tags ADD_TAGS: ['use'], + // Prevent possible XSS attacks with data-* attributes used by @rails/ujs + // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421 + FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'], }; -const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method']; - // Only icons urls from `gon` are allowed const getAllowedIconUrls = (gon = window.gon) => [gon.sprite_file_icons, gon.sprite_icons].filter(Boolean); @@ -46,19 +46,10 @@ const sanitizeSvgIcon = (node) => { removeUnsafeHref(node, 'xlink:href'); }; -const sanitizeHTMLAttributes = (node) => { - forbiddenDataAttrs.forEach((attr) => { - if (node.hasAttribute(attr)) { - node.removeAttribute(attr); - } - }); -}; - addHook('afterSanitizeAttributes', (node) => { if (node.tagName.toLowerCase() === 'use') { sanitizeSvgIcon(node); } - sanitizeHTMLAttributes(node); }); export const sanitize = (val, config = defaultConfig) => dompurifySanitize(val, config); diff --git a/app/assets/javascripts/lib/utils/common_utils.js b/app/assets/javascripts/lib/utils/common_utils.js index 8a051041fbe..8f86fd55d6e 100644 --- a/app/assets/javascripts/lib/utils/common_utils.js +++ b/app/assets/javascripts/lib/utils/common_utils.js @@ -151,11 +151,24 @@ export const isMetaKey = (e) => e.metaKey || e.ctrlKey || e.altKey || e.shiftKey // 3) Middle-click or Mouse Wheel Click (e.which is 2) export const isMetaClick = (e) => e.metaKey || e.ctrlKey || e.which === 2; +/** + * Get the current computed outer height for given selector. + */ +export const getOuterHeight = (selector) => { + const element = document.querySelector(selector); + + if (!element) { + return undefined; + } + + return element.offsetHeight; +}; + export const contentTop = () => { const isDesktop = breakpointInstance.isDesktop(); const heightCalculators = [ - () => $('#js-peek').outerHeight(), - () => $('.navbar-gitlab').outerHeight(), + () => getOuterHeight('#js-peek'), + () => getOuterHeight('.navbar-gitlab'), ({ desktop }) => { const container = document.querySelector('.line-resolve-all-container'); let size = 0; @@ -166,14 +179,14 @@ export const contentTop = () => { return size; }, - () => $('.merge-request-tabs').outerHeight(), - () => $('.js-diff-files-changed').outerHeight(), + () => getOuterHeight('.merge-request-tabs'), + () => getOuterHeight('.js-diff-files-changed'), ({ desktop }) => { const diffsTabIsActive = window.mrTabs?.currentAction === 'diffs'; let size; if (desktop && diffsTabIsActive) { - size = $('.diff-file .file-title-flex-parent:visible').outerHeight(); + size = getOuterHeight('.diff-file .file-title-flex-parent:not([style="display:none"])'); } return size; @@ -182,7 +195,7 @@ export const contentTop = () => { let size; if (desktop) { - size = $('.mr-version-controls').outerHeight(); + size = getOuterHeight('.mr-version-controls'); } return size; diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js index 7922ff22a70..e9772232eaf 100644 --- a/app/assets/javascripts/lib/utils/url_utility.js +++ b/app/assets/javascripts/lib/utils/url_utility.js @@ -474,19 +474,17 @@ export function queryToObject(query, { gatherArrays = false, legacySpacesDecode } const decodedValue = legacySpacesDecode ? decodeURIComponent(value) : decodeUrlParameter(value); + const decodedKey = legacySpacesDecode ? decodeURIComponent(key) : decodeUrlParameter(key); - if (gatherArrays && key.endsWith('[]')) { - const decodedKey = legacySpacesDecode - ? decodeURIComponent(key.slice(0, -2)) - : decodeUrlParameter(key.slice(0, -2)); + if (gatherArrays && decodedKey.endsWith('[]')) { + const decodedArrayKey = decodedKey.slice(0, -2); - if (!Array.isArray(accumulator[decodedKey])) { - accumulator[decodedKey] = []; + if (!Array.isArray(accumulator[decodedArrayKey])) { + accumulator[decodedArrayKey] = []; } - accumulator[decodedKey].push(decodedValue); - } else { - const decodedKey = legacySpacesDecode ? decodeURIComponent(key) : decodeUrlParameter(key); + accumulator[decodedArrayKey].push(decodedValue); + } else { accumulator[decodedKey] = decodedValue; } |