Skip to content

Commit

Permalink
Don't sanitize controls attribute (gollum#430)
Browse files Browse the repository at this point in the history
  • Loading branch information
dometto authored and Dawa Ometto committed Nov 27, 2022
1 parent 69d0eaa commit edb2fa8
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/gollum-lib/macro/audio.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module Gollum
class Macro
class Audio < Gollum::Macro
def render (fname)
"<audio width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"\"> HTML5 audio is not supported on this Browser.</audio>"
"<audio width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"true\"> HTML5 audio is not supported on this Browser.</audio>"
end
end
end
Expand Down
2 changes: 1 addition & 1 deletion lib/gollum-lib/macro/video.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module Gollum
class Macro
class Video < Gollum::Macro
def render (fname)
"<video width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"\"> HTML5 video is not supported on this Browser.</video>"
"<video width=\"100%\" height=\"100%\" src=\"#{CGI::escapeHTML(fname)}\" controls=\"true\"> HTML5 video is not supported on this Browser.</video>"
end
end
end
Expand Down
1 change: 1 addition & 0 deletions lib/gollum-lib/sanitization.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
::Loofah::HTML5::SafeList::ACCEPTABLE_PROTOCOLS.add('apt')
::Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES.add('controls')

module Gollum
class Sanitization
Expand Down
6 changes: 6 additions & 0 deletions test/test_macros.rb
Original file line number Diff line number Diff line change
Expand Up @@ -200,4 +200,10 @@ def render(opts)
@wiki.write_page("_Footer", :markdown, "<<Series(test)>>", commit_details)
assert_match /Next(.*)test-2&lt;span&gt;/, @wiki.page("test-1").footer.formatted_data
end

test "Control attributes for Audio and Video are not sanitized" do
@wiki.write_page("AudioTagTest", :markdown, "<<Audio(foo)>>\n<<Video(bar)>>", commit_details)
# The Macros must return controls=true until https://github.com/flavorjones/loofah/issues/242 is resolved
assert_match /<audio (.*)controls(.*)>(.*)<video (.*)controls(.*)>/m, @wiki.pages[0].formatted_data
end
end

0 comments on commit edb2fa8

Please sign in to comment.