Merge pull request #383 from openstax/allow_data_attributes

Allow style data attributes everywhere

config/initializers/user_html.rb

@@ -42,15 +42,20 @@
   { node_whitelist: [node] }
 end
 
+STYLE_DATA_ATTRIBUTES = %w(bullet-style type orient valign align media)
+STYLE_ATTRIBUTES = STYLE_DATA_ATTRIBUTES.map { |attr| "data-#{attr}" }
+
 UserHtml.sanitize_config = Sanitize::Config.merge(
   Sanitize::Config::RELAXED,
   add_attributes: {
     'a' => {'rel' => 'nofollow', 'target' => '_blank'}
   },
-  attributes: Sanitize::Config::RELAXED[:attributes].merge({
+  attributes: Sanitize::Config::RELAXED[:attributes].merge(
+    # :all has to be a symbol, not a string
+    all: Sanitize::Config::RELAXED[:attributes][:all] + STYLE_ATTRIBUTES,
     'span' => ['data-math'],
     'div'  => ['data-math', 'align'],
     'p'    => ['align'],
-  }),
+  ),
   transformers: [embed_transformer]
 )

spec/lib/user_html_spec.rb

@@ -76,7 +76,7 @@
     expect(described_class.sanitize(content)).to eq 'Funny cat videos: '
   end
 
-  describe 'data-math attribute' do
+  context 'data-math attribute' do
     let (:formula){ %-\lim_{x\to\infty}f(x)=0- }
 
     it 'is allowed on divs' do
@@ -93,7 +93,16 @@
       content = "also: <p data-math='#{formula}'/>"
       expect(described_class.sanitize(content)).to eq 'also: <p></p>'
     end
-
   end
 
+  context 'style attributes' do
+    STYLE_ATTRIBUTES.each do |attr|
+      context "#{attr} attribute" do
+        it 'is allowed on any element' do
+          content = "<table><tbody><tr><td #{attr}=\"test\">Hi</td></tr></tbody></table>"
+          expect(described_class.sanitize(content)).to eq content
+        end
+      end
+    end
+  end
 end