From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 24 Mar 2021 19:15:21 +0000 (+0000)
Subject: Strip away class attributes from sanitized outputs
X-Git-Tag: live~1702^2
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/d7eac9b5a8f4cbbeb4ed3d73464993bfd5888935

Strip away class attributes from sanitized outputs

There's a lot of shenanigans that are possible when you can apply
arbitrary classes to the rendered output.
---

diff --git a/config/initializers/sanitize.rb b/config/initializers/sanitize.rb
index 609bb8734..b98523805 100644
--- a/config/initializers/sanitize.rb
+++ b/config/initializers/sanitize.rb
@@ -4,6 +4,7 @@ Sanitize::Config::OSM = Sanitize::Config.merge(
   :add_attributes => { "a" => { "rel" => "nofollow noopener noreferrer" } },
   :remove_contents => %w[script style],
   :transformers => lambda do |env|
+    env[:node].remove_class
     env[:node].add_class("table table-sm w-auto") if env[:node_name] == "table"
   end
 )
diff --git a/test/lib/rich_text_test.rb b/test/lib/rich_text_test.rb
index e287f03f5..5b590bc3e 100644
--- a/test/lib/rich_text_test.rb
+++ b/test/lib/rich_text_test.rb
@@ -52,6 +52,12 @@ class RichTextTest < ActiveSupport::TestCase
     assert_html r do
       assert_select "table[class='table table-sm w-auto']"
     end
+
+    r = RichText.new("html", "<p class='btn btn-warning'>Click Me</p>")
+    assert_html r do
+      assert_select "p[class='btn btn-warning']", false
+      assert_select "p", /^Click Me$/
+    end
   end
 
   def test_html_to_text
@@ -155,6 +161,13 @@ class RichTextTest < ActiveSupport::TestCase
     assert_html r do
       assert_select "table[class='table table-sm w-auto']"
     end
+
+    r = RichText.new("markdown", "Click Me\n{:.btn.btn-warning}")
+    # raise r.to_html
+    assert_html r do
+      assert_select "p[class='btn btn-warning']", false
+      assert_select "p", /^Click Me$/
+    end
   end
 
   def test_markdown_to_text