cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Strip away class attributes from sanitized outputs

Browse source 
There's a lot of shenanigans that are possible when you can apply
arbitrary classes to the rendered output.
This commit is contained in:
Andy Allan 2021-03-24 19:15:21 +00:00
parent f442bb9e80
commit d7eac9b5a8
2 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/initializers/sanitize.rb
View file

@ -4,6 +4,7 @@ Sanitize::Config::OSM = Sanitize::Config.merge(
:add_attributes => { "a" => { "rel" => "nofollow noopener noreferrer" } },
:remove_contents => %w[script style],
:transformers => lambda do |env|
env[:node].remove_class
env[:node].add_class("table table-sm w-auto") if env[:node_name] == "table"
end
)