diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-12 18:08:59 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-05-12 18:08:59 +0300 |
| commit | 0024c2f44455cf5ace9235a7efa195c12a1d72d2 (patch) | |
| tree | 72d2e7d8f03fd479b8b3ca9915d12d116d37948f /app/assets/javascripts/lib | |
| parent | cb3b9f9243555b0c26145e2992a9f01f7fa47bf5 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/assets/javascripts/lib')
| -rw-r--r-- | app/assets/javascripts/lib/dompurify.js | 1 | ||||
| -rw-r--r-- | app/assets/javascripts/lib/utils/url_utility.js | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js index 47568f0ecff..4959550e273 100644 --- a/app/assets/javascripts/lib/dompurify.js +++ b/app/assets/javascripts/lib/dompurify.js @@ -7,6 +7,7 @@ const defaultConfig = { // Prevent possible XSS attacks with data-* attributes used by @rails/ujs // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421 FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'], + FORBID_TAGS: ['style', 'mstyle'], }; // Only icons urls from `gon` are allowed diff --git a/app/assets/javascripts/lib/utils/url_utility.js b/app/assets/javascripts/lib/utils/url_utility.js index 335cd6a16e5..ff60fd2aecb 100644 --- a/app/assets/javascripts/lib/utils/url_utility.js +++ b/app/assets/javascripts/lib/utils/url_utility.js @@ -420,6 +420,19 @@ export function isSafeURL(url) { } /** + * Returns the sanitized url when not safe + * + * @param {String} url + * @returns {String} + */ +export function sanitizeUrl(url) { + if (!isSafeURL(url)) { + return 'about:blank'; + } + return url; +} + +/** * Returns a normalized url * * https://gitlab.com/foo/../baz => https://gitlab.com/baz |