From e241d8a530067f0f7e5545ecb1ebb15828ed4fdd Mon Sep 17 00:00:00 2001 From: Dante Soares Date: Tue, 11 Oct 2022 15:39:02 -0500 Subject: [PATCH] Allow style data attributes everywhere --- config/initializers/user_html.rb | 9 +++++++-- spec/lib/user_html_spec.rb | 13 +++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/config/initializers/user_html.rb b/config/initializers/user_html.rb index a571c2a8..7340f60f 100644 --- a/config/initializers/user_html.rb +++ b/config/initializers/user_html.rb @@ -42,15 +42,20 @@ { node_whitelist: [node] } end +STYLE_DATA_ATTRIBUTES = %w(bullet-style type orient valign align media) +STYLE_ATTRIBUTES = STYLE_DATA_ATTRIBUTES.map { |attr| "data-#{attr}" } + UserHtml.sanitize_config = Sanitize::Config.merge( Sanitize::Config::RELAXED, add_attributes: { 'a' => {'rel' => 'nofollow', 'target' => '_blank'} }, - attributes: Sanitize::Config::RELAXED[:attributes].merge({ + attributes: Sanitize::Config::RELAXED[:attributes].merge( + # :all has to be a symbol, not a string + all: Sanitize::Config::RELAXED[:attributes][:all] + STYLE_ATTRIBUTES, 'span' => ['data-math'], 'div' => ['data-math', 'align'], 'p' => ['align'], - }), + ), transformers: [embed_transformer] ) diff --git a/spec/lib/user_html_spec.rb b/spec/lib/user_html_spec.rb index 2eef7181..af320409 100644 --- a/spec/lib/user_html_spec.rb +++ b/spec/lib/user_html_spec.rb @@ -76,7 +76,7 @@ expect(described_class.sanitize(content)).to eq 'Funny cat videos: ' end - describe 'data-math attribute' do + context 'data-math attribute' do let (:formula){ %-\lim_{x\to\infty}f(x)=0- } it 'is allowed on divs' do @@ -93,7 +93,16 @@ content = "also:

" expect(described_class.sanitize(content)).to eq 'also:

' end - end + context 'style attributes' do + STYLE_ATTRIBUTES.each do |attr| + context "#{attr} attribute" do + it 'is allowed on any element' do + content = "
Hi
" + expect(described_class.sanitize(content)).to eq content + end + end + end + end end