Skip to content

Allow HTML tags in user Markdown input

Ramya Authappan requested to merge github/fork/mr-vinn/markdown-tags into master

Created by: mr-vinn

This change fixes #7066, and issues #147, #408 and #476 from gitlab.com.

The Markdown parser currently uses Redcarpet's :filter_html option, which removes all HTML tags from user input. The parser also calls ActionView's #sanitize method, which removes HTML tags and attributes that are not whitelisted.

GitLab's Markdown documentation says that inline HTML should be allowed, which seems incompatible with the :filter_html option. This change disables that option to allow safe tags from user input to appear in the rendered HTML.

However, relying on #sanitize at the end of parsing doesn't handle javascript in tag attributes correctly. For example, this input:

<a href="javascript:alert('foo')">link text</a>

is rendered as:

<a href="/namespace101/gitlabhq/blob/markdown/javascript:alert(&#39;foo&#39;)">link text</a>

To handle javascript in attributes, I added a call to #sanitize before parsing relative links. This results in the correctly sanitized output:

<a>link text</a>

Merge request reports

Loading