Allow HTML tags in user Markdown input
Created by: mr-vinn
This change fixes #7066, and issues #147, #408 and #476 from gitlab.com.
The Markdown parser currently uses Redcarpet's :filter_html
option, which removes all HTML tags from user input. The parser also calls ActionView's #sanitize
method, which removes HTML tags and attributes that are not whitelisted.
GitLab's Markdown documentation says that inline HTML should be allowed, which seems incompatible with the :filter_html
option. This change disables that option to allow safe tags from user input to appear in the rendered HTML.
However, relying on #sanitize
at the end of parsing doesn't handle javascript in tag attributes correctly. For example, this input:
<a href="javascript:alert('foo')">link text</a>
is rendered as:
<a href="/namespace101/gitlabhq/blob/markdown/javascript:alert('foo')">link text</a>
To handle javascript in attributes, I added a call to #sanitize
before parsing relative links. This results in the correctly sanitized output:
<a>link text</a>