diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-13 18:09:32 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-13 18:09:32 +0300 |
commit | bd25f1d9c685039381df23e49bc52cdcf4ec1b4a (patch) | |
tree | 33b3b16ae2ef653f74828f69742154122ff0ac2d /app/assets/javascripts/lib | |
parent | 70ce746bd011b101605e6d84f141d1f0c3175831 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/assets/javascripts/lib')
-rw-r--r-- | app/assets/javascripts/lib/dompurify.js | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js index 6f24590f9e7..27760e483aa 100644 --- a/app/assets/javascripts/lib/dompurify.js +++ b/app/assets/javascripts/lib/dompurify.js @@ -3,12 +3,21 @@ import { getNormalizedURL, getBaseURL, relativePathToAbsolute } from '~/lib/util const { sanitize: dompurifySanitize, addHook, isValidAttribute } = DOMPurify; -const defaultConfig = { +export const defaultConfig = { // Safely allow SVG <use> tags ADD_TAGS: ['use', 'gl-emoji', 'copy-code'], // Prevent possible XSS attacks with data-* attributes used by @rails/ujs // See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421 - FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'], + FORBID_ATTR: [ + 'data-remote', + 'data-url', + 'data-type', + 'data-method', + 'data-disable-with', + 'data-disabled', + 'data-disable', + 'data-turbo', + ], FORBID_TAGS: ['style', 'mstyle'], ALLOW_UNKNOWN_PROTOCOLS: true, }; |