Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/assets/javascripts/lib/dompurify.js
diff options
context:
space:
mode:
Diffstat (limited to 'app/assets/javascripts/lib/dompurify.js')
-rw-r--r--app/assets/javascripts/lib/dompurify.js11
1 files changed, 11 insertions, 0 deletions
diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js
index 76624c81ed5..4357918672d 100644
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
@@ -7,6 +7,8 @@ const defaultConfig = {
ADD_TAGS: ['use'],
};
+const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method'];
+
// Only icons urls from `gon` are allowed
const getAllowedIconUrls = (gon = window.gon) =>
[gon.sprite_file_icons, gon.sprite_icons].filter(Boolean);
@@ -44,10 +46,19 @@ const sanitizeSvgIcon = (node) => {
removeUnsafeHref(node, 'xlink:href');
};
+const sanitizeHTMLAttributes = (node) => {
+ forbiddenDataAttrs.forEach((attr) => {
+ if (node.hasAttribute(attr)) {
+ node.removeAttribute(attr);
+ }
+ });
+};
+
addHook('afterSanitizeAttributes', (node) => {
if (node.tagName.toLowerCase() === 'use') {
sanitizeSvgIcon(node);
}
+ sanitizeHTMLAttributes(node);
});
export const sanitize = (val, config = defaultConfig) => dompurifySanitize(val, config);
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-14 20:16:57 +0300