From 661e6a6d01c1d760d1ee5192b3ba521d9cc568c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20L=C3=B6thberg?= Date: Mon, 12 Jun 2017 02:03:38 +0200 Subject: [PATCH] HtmlUtils: Allow language- classes on code blocks through the sanitizer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is required to be able to specify the highlight language in fenced blocks like the following: ```python print("foo") ``` Signed-off-by: Johannes Löthberg --- src/HtmlUtils.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js index aec32092ed..a32d05e4ff 100644 --- a/src/HtmlUtils.js +++ b/src/HtmlUtils.js @@ -124,6 +124,7 @@ var sanitizeHtmlParams = { // would make sense if we did img: ['src'], ol: ['start'], + code: ['class'], // We don't actually allow all classes, we filter them in transformTags }, // Lots of these won't come up by default because we don't allow them selfClosing: ['img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta'], @@ -165,6 +166,19 @@ var sanitizeHtmlParams = { attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/ return { tagName: tagName, attribs : attribs }; }, + 'code': function(tagName, attribs) { + if (typeof attribs.class !== 'undefined') { + // Filter out all classes other than ones starting with language- for syntax highlighting. + let classes = attribs.class.split(/\s+/).filter(function(cl) { + return cl.startsWith('language-'); + }); + attribs.class = classes.join(' '); + } + return { + tagName: tagName, + attribs: attribs, + }; + }, '*': function(tagName, attribs) { // Delete any style previously assigned, style is an allowedTag for font and span // because attributes are stripped after transforming