FEATURE: whitelist data for themes

pitchin · Mar 2, 2018 · d39d2b9 · d39d2b9
1 parent 939180e
commit d39d2b9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/app/assets/javascripts/pretty-text/white-lister.js.es6 b/app/assets/javascripts/pretty-text/white-lister.js.es6
@@ -137,7 +137,12 @@ const DEFAULT_LIST = [
   'div.quote-controls',
   'div.title',
   'div[align]',
-  'div[data-theme-*]',
+  'div[data-*]', /* This may seem a bit much but polls does
+                    it anyway and this is needed for themes,
+                    special code in sanitizer handles data-*
+                    nothing exists for data-theme-* and we
+                    don't want to slow sanitize for this case
+                  */
   'div[dir]',
   'dl',
   'dt',

diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb
@@ -1262,4 +1262,9 @@ def test_s3_cdn
     HTML
   end
 
+  it "has a proper data whitlist on div" do
+    cooked = PrettyText.cook("<div data-theme-a='a'>test</div>")
+    expect(cooked).to include("data-theme-a")
+  end
+
 end