Whitelist raw "abbr" elements when parsing Markdown

Closes #12517

Whitelist raw "abbr" elements when parsing Markdown
Closes #12517
6435f78a · Benedict Etzel · dc78ee4e · 6435f78a · 6435f78a · 6435f78a
3 changed file
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ v 8.5.0 (unreleased)
  - Upgrade gitlab_git to 7.2.23 to fix commit message mentions in first branch push
  - New UI for pagination
  - Fix diff comments loaded by AJAX to load comment with diff in discussion tab
+  - Whitelist raw "abbr" elements when parsing Markdown (Benedict Etzel)

 v 8.4.0
  - Allow LDAP users to change their email if it was not set by the LDAP server

--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -43,6 +43,10 @@ module Banzai
        # Allow span elements
        whitelist[:elements].push('span')

+        # Allow abbr elements with title attribute
+        whitelist[:elements].push('abbr')
+        whitelist[:attributes]['abbr'] = %w(title)
+
        # Allow any protocol in `a` elements...
        whitelist[:protocols].delete('a')


--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -75,6 +75,11 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
      expect(filter(act).to_html).to eq exp
    end

+    it 'allows `abbr` elements' do
+      exp = act = %q{<abbr title="HyperText Markup Language">HTML</abbr>}
+      expect(filter(act).to_html).to eq exp
+    end
+
    it 'removes `rel` attribute from `a` elements' do
      act = %q{<a href="#" rel="nofollow">Link</a>}
      exp = %q{<a href="#">Link</a>}