Replacing html-pipeline with Loofah for HTML Filtering (#42737).

Patch by Takashi Kato (user:tohosaku). git-svn-id: https://svn.redmine.org/redmine/trunk@24094 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-10 07:16:03 +01:00 · 2025-10-31 06:38:27 +00:00
parent 19927b2382
commit d89a3b5e6f
17 changed files with 214 additions and 137 deletions
--- a/lib/redmine/wiki_formatting/html_sanitizer.rb
+++ b/lib/redmine/wiki_formatting/html_sanitizer.rb
@@ -19,17 +19,18 @@

 module Redmine
  module WikiFormatting
-    # Combination of SanitizationFilter and ExternalLinksFilter
+    # Combination of SanitizationFilter and ExternalLinksScrubber
    class HtmlSanitizer
-      Pipeline = HTML::Pipeline.new(
-        [
-          Redmine::WikiFormatting::CommonMark::SanitizationFilter,
-          Redmine::WikiFormatting::CommonMark::ExternalLinksFilter,
-        ], {})
+      SANITIZER = Redmine::WikiFormatting::CommonMark::SanitizationFilter.new
+      SCRUBBERS = [Redmine::WikiFormatting::CommonMark::ExternalLinksScrubber.new]

      def self.call(html)
-        result = Pipeline.call html
-        result[:output].to_s
+        fragment = HtmlParser.parse(html)
+        SANITIZER.call(fragment)
+        SCRUBBERS.each do |scrubber|
+          fragment.scrub!(scrubber)
+        end
+        fragment.to_s
      end
    end
  end