Skip to content

feat(SafeHtml): allow non-http links in url attributes

Dheeraj Joshi requested to merge djadmin-safe-html-allow-links into main

Related issue - gitlab#275975 (closed)

What does this MR do?

This should allow linkifying the non-http(s) protocols in MR descriptions and all the places we render html using v-safe-html. For example, slack://open will be rendered as clickable and should open the slack application if installed.

Context

This feature existed before on gitlab-org/gitlab and stopped working when moved MR descriptions to use v-safe-html. It happened because DOMPurify's default configuration prohibits external protocols by default.

We've decided to enable this configuration globally. More discussion around this and the security implications can found at gitlab#275975 (comment 956409943).

Validating this locally

If you want to test this implementation out locally, you may want to pull the integration branch MR.

  1. Create an issue
  2. Add slack://open to the description (without quotes)
  3. It should be clickable now.

Screenshot

before after
image image

Does this MR meet the acceptance criteria?

Conformity

  • Code review guidelines.
  • GitLab UI's contributing guidlines.
  • If it changes a Pajamas-compliant component's look & feel, the MR has been reviewed by a UX designer.
  • If it changes GitLab UI's documentation guidelines, the MR has been reviewed by a Technical Writer.
  • If the MR changes a component's API, integration MR(s) have been opened in the following projects to ensure that the @gitlab/ui package can be upgraded quickly after the changes are released:
  • Added the ~"component:*" label(s) if applicable.

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • Security reports checked/validated by a reviewer from the AppSec team

Accessibility

If this MR adds or modifies a component, take a few moments to review the following:

  • All actions and functionality can be done with a keyboard.
  • Links, buttons, and controls have a visible focus state.
  • All content is presented in text or with a text equivalent. For example, alt text for SVG, or aria-label for icons that have meaning or perform actions.
  • Changes in a component’s state are announced by a screen reader. For example, changing aria-expanded="false" to aria-expanded="true" when an accordion is expanded.
  • Color combinations have sufficient contrast.
Edited by Dheeraj Joshi

Merge request reports