references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Better whitelisting of allowed macros and data-attributes

Browse Source
This commit is contained in:
Oliver Günther
2026-06-01 10:09:17 +02:00
parent 5b0a186795
commit 9ed3392dae
4 changed files with 125 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/open_project/text_formatting/filters/macro_filter.rb
+13
View File
@@ -41,9 +41,13 @@ module OpenProject::TextFormatting
def call # rubocop:disable Metrics/AbcSize
doc.search("macro").each do |macro|
matched = false
registered.each do |macro_class|
next unless macro_applies?(macro_class, macro)
matched = true
# If requested to skip macro expansion, do that
if context[:disable_macro_expansion]
macro.replace macro_placeholder(macro_class)
@@ -60,6 +64,8 @@ module OpenProject::TextFormatting
break
end
end
macro.replace unknown_macro_placeholder unless matched
end
doc
@@ -67,6 +73,13 @@ module OpenProject::TextFormatting
private
def unknown_macro_placeholder
ApplicationController.helpers.content_tag :macro,
I18n.t(:macro_unknown),
class: "macro-unavailable",
data: { macro_name: "unknown" }
end
def macro_error_placeholder(macro_class, message)
ApplicationController.helpers.content_tag :macro,
"#{I18n.t(:macro_execution_error,
lib/open_project/text_formatting/filters/sanitization_filter.rb
+2 -2
View File
@@ -52,8 +52,8 @@ module OpenProject::TextFormatting
remove_contents: Array(base[:remove_contents]) | %w[svg style],
attributes: base_attrs.deep_merge(
# Whitelist class and data-* attributes on all macros
"macro" => ["class", :data],
# Explicit allowlist of data-* attributes used by registered macros.
"macro" => %w[class data-type data-classes data-page data-include-parent data-macro-name data-query-props data-pull-request-id data-pull-request-state],
# mentions
"mention" => %w[data-type data-text data-id class],
# add styles to tables