Replacing html-pipeline with Loofah for HTML Filtering (#42737).

Patch by Takashi Kato (user:tohosaku). git-svn-id: https://svn.redmine.org/redmine/trunk@24094 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-10 07:16:03 +01:00 · 2025-10-31 06:38:27 +00:00
parent 19927b2382
commit d89a3b5e6f
17 changed files with 214 additions and 137 deletions
--- a/lib/redmine/wiki_formatting/common_mark/formatter.rb
+++ b/lib/redmine/wiki_formatting/common_mark/formatter.rb
@@ -17,8 +17,6 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

-require 'html/pipeline'
-
 module Redmine
  module WikiFormatting
    module CommonMark
@@ -54,14 +52,13 @@ module Redmine
        }.freeze,
      }.freeze

-      MarkdownPipeline = HTML::Pipeline.new [
-        MarkdownFilter,
-        SanitizationFilter,
-        SyntaxHighlightFilter,
-        FixupAutoLinksFilter,
-        ExternalLinksFilter,
-        AlertsIconsFilter
-      ], PIPELINE_CONFIG
+      SANITIZER = SanitizationFilter.new
+      SCRUBBERS = [
+        SyntaxHighlightScrubber.new,
+        FixupAutoLinksScrubber.new,
+        ExternalLinksScrubber.new,
+        AlertsIconsScrubber.new
+      ]

      class Formatter
        include Redmine::WikiFormatting::SectionHelper
@@ -71,8 +68,13 @@ module Redmine
        end

        def to_html(*args)
-          result = MarkdownPipeline.call @text
-          result[:output].to_s
+          html = MarkdownFilter.new(@text, PIPELINE_CONFIG).call
+          fragment = Redmine::WikiFormatting::HtmlParser.parse(html)
+          SANITIZER.call(fragment)
+          SCRUBBERS.each do |scrubber|
+            fragment.scrub!(scrubber)
+          end
+          fragment.to_s
        end
      end
    end