Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-10-13 18:09:32 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-10-13 18:09:32 +0300
commit: bd25f1d9c685039381df23e49bc52cdcf4ec1b4a (patch)
tree: 33b3b16ae2ef653f74828f69742154122ff0ac2d /app/assets/javascripts/lib
parent: 70ce746bd011b101605e6d84f141d1f0c3175831 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js
index 6f24590f9e7..27760e483aa 100644
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
@@ -3,12 +3,21 @@ import { getNormalizedURL, getBaseURL, relativePathToAbsolute } from '~/lib/util
 
 const { sanitize: dompurifySanitize, addHook, isValidAttribute } = DOMPurify;
 
-const defaultConfig = {
+export const defaultConfig = {
   // Safely allow SVG <use> tags
   ADD_TAGS: ['use', 'gl-emoji', 'copy-code'],
   // Prevent possible XSS attacks with data-* attributes used by @rails/ujs
   // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421
-  FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'],
+  FORBID_ATTR: [
+    'data-remote',
+    'data-url',
+    'data-type',
+    'data-method',
+    'data-disable-with',
+    'data-disabled',
+    'data-disable',
+    'data-turbo',
+  ],
   FORBID_TAGS: ['style', 'mstyle'],
   ALLOW_UNKNOWN_PROTOCOLS: true,
 };
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-10-13 18:09:32 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-10-13 18:09:32 +0300
commit	bd25f1d9c685039381df23e49bc52cdcf4ec1b4a (patch)
tree	33b3b16ae2ef653f74828f69742154122ff0ac2d /app/assets/javascripts/lib
parent	70ce746bd011b101605e6d84f141d1f0c3175831 (diff)