HtmlUtils: Allow language- classes on code blocks through the sanitizer

This is required to be able to specify the highlight language in fenced blocks like the following: ```python print("foo") ``` Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
2017-06-12 02:03:38 +02:00 · 2017-06-12 02:03:38 +02:00 · 661e6a6d01
parent f9b37208a3
commit 661e6a6d01
1 changed files with 14 additions and 0 deletions
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@ -124,6 +124,7 @@ var sanitizeHtmlParams = {
        // would make sense if we did
        img: ['src'],
        ol: ['start'],
+        code: ['class'], // We don't actually allow all classes, we filter them in transformTags
    },
    // Lots of these won't come up by default because we don't allow them
    selfClosing: ['img', 'br', 'hr', 'area', 'base', 'basefont', 'input', 'link', 'meta'],
@ -165,6 +166,19 @@ var sanitizeHtmlParams = {
            attribs.rel = 'noopener'; // https://mathiasbynens.github.io/rel-noopener/
            return { tagName: tagName, attribs : attribs };
        },
+        'code': function(tagName, attribs) {
+            if (typeof attribs.class !== 'undefined') {
+                // Filter out all classes other than ones starting with language- for syntax highlighting.
+                let classes = attribs.class.split(/\s+/).filter(function(cl) {
+                    return cl.startsWith('language-');
+                });
+                attribs.class = classes.join(' ');
+            }
+            return {
+                tagName: tagName,
+                attribs: attribs,
+            };
+        },
        '*': function(tagName, attribs) {
            // Delete any style previously assigned, style is an allowedTag for font and span
            // because attributes are stripped after transforming