[ARVADOS] created: 1.2.0-430-g8299fa11d

Git user git at public.curoverse.com
Mon Nov 26 13:42:06 EST 2018 

        at  8299fa11d1e813ea52e3ea482214d12044119bc3 (commit)


commit 8299fa11d1e813ea52e3ea482214d12044119bc3
Author: Lucas Di Pentima <ldipentima at veritasgenetics.com>
Date:   Wed Nov 21 19:32:23 2018 -0300

    14519: Fixes bug by adding table tags to the sanitizer white list
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima at veritasgenetics.com>

diff --git a/apps/workbench/app/helpers/application_helper.rb b/apps/workbench/app/helpers/application_helper.rb
index 2b48d74b2..379eb6424 100644
--- a/apps/workbench/app/helpers/application_helper.rb
+++ b/apps/workbench/app/helpers/application_helper.rb
@@ -16,7 +16,8 @@ module ApplicationHelper
   end
 
   def render_markup(markup)
-    sanitize(raw(RedCloth.new(markup.to_s).to_html(:refs_arvados, :textile))) if markup
+    allowed_tags = Rails::Html::Sanitizer.white_list_sanitizer.allowed_tags + %w(table tbody th tr td)
+    sanitize(raw(RedCloth.new(markup.to_s).to_html(:refs_arvados, :textile)), tags: allowed_tags)
   end
 
   def human_readable_bytes_html(n)

commit 1d6540e48c83e0a740fd2a8bd63f99671d40488a
Author: Lucas Di Pentima <ldipentima at veritasgenetics.com>
Date:   Wed Nov 21 19:31:51 2018 -0300

    14519: Test exposing the regression
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima at veritasgenetics.com>

diff --git a/apps/workbench/test/controllers/projects_controller_test.rb b/apps/workbench/test/controllers/projects_controller_test.rb
index 3522745fe..21b3361c1 100644
--- a/apps/workbench/test/controllers/projects_controller_test.rb
+++ b/apps/workbench/test/controllers/projects_controller_test.rb
@@ -351,6 +351,24 @@ class ProjectsControllerTest < ActionController::TestCase
     assert_includes @response.body, 'Textile description with unsafe script tag alert("Hello there").'
   end
 
+  # Tests #14519
+  test "textile table on description renders as table html markup" do
+    use_token :active
+    project = api_fixture('groups')['aproject']
+    textile_table = <<EOT
+table(table table-striped table-condensed).
+|_. First Header |_. Second Header |
+|Content Cell |Content Cell |
+|Content Cell |Content Cell |
+EOT
+    found = Group.find(project['uuid'])
+    found.description = textile_table
+    found.save!
+    get(:show, {id: project['uuid']}, session_for(:active))
+    assert_includes @response.body, '<th>First Header'
+    assert_includes @response.body, '<td>Content Cell'
+  end
+
   test "find a project and edit description to textile description with link to object" do
     project = api_fixture('groups')['aproject']
     use_token :active

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list