refinery · parndt · Apr 20, 2016 · Apr 7, 2016
diff --git a/pages/app/presenters/refinery/pages/section_presenter.rb b/pages/app/presenters/refinery/pages/section_presenter.rb
@@ -64,9 +64,8 @@ def html_from_fallback(can_use_fallback)
 
       def wrap_content_in_tag(content)
         content = sanitize(content,
-          tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS,
-          attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES,
-          scrubber: Rails::Html::PermitScrubber.new
+          tags: Refinery::Pages::whitelist_elements,
+          attributes: Refinery::Pages::whitelist_attributes
         )
         content_tag(:section, content_tag(:div, content, :class => 'inner'), :id => id)
       end

diff --git a/pages/lib/generators/refinery/pages/templates/config/initializers/refinery/pages.rb.erb b/pages/lib/generators/refinery/pages/templates/config/initializers/refinery/pages.rb.erb
@@ -65,4 +65,8 @@ Refinery::Pages.configure do |config|
   # config.absolute_page_links = <%= Refinery::Pages.absolute_page_links.inspect %>
 
   # config.show_title_in_body = <%= Refinery::Pages.show_title_in_body.inspect %>
+
+  # config.add_whitelist_elements = <%= Refinery::Pages.add_whitelist_elements.inspect %>
+
+  # config.add_whitelist_attributes = <%= Refinery::Pages.add_whitelist_attributes.inspect %>
 end
diff --git a/pages/lib/refinery/pages/configuration.rb b/pages/lib/refinery/pages/configuration.rb
@@ -8,7 +8,8 @@ module Pages
                     :cache_pages_full, :layout_template_whitelist,
                     :use_layout_templates, :page_title, :absolute_page_links, :types,
                     :auto_expand_admin_tree, :show_title_in_body,
-                    :friendly_id_reserved_words, :layout_templates_pattern, :view_templates_pattern
+                    :friendly_id_reserved_words, :layout_templates_pattern, :view_templates_pattern,
+                    :add_whitelist_elements, :add_whitelist_attributes, :whitelist_elements, :whitelist_attributes
 
     self.pages_per_dialog = 14
     self.pages_per_admin_index = 20
@@ -21,7 +22,19 @@ module Pages
     self.scope_slug_by_parent = true
     self.cache_pages_full = false
     self.layout_template_whitelist = ["application"]
+    self.add_whitelist_elements = %w[ source track ]
+    self.add_whitelist_attributes = %w[ kind srclang placeholder controls ]
+
+
     class << self
+      def whitelist_elements
+        Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS.merge(config.add_whitelist_elements)
+      end
+
+      def whitelist_attributes
+        Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge(config.add_whitelist_attributes)
+      end
+
       def layout_template_whitelist
         Array(config.layout_template_whitelist).map(&:to_s)
       end

diff --git a/pages/spec/presenters/refinery/pages/section_presenter_spec.rb b/pages/spec/presenters/refinery/pages/section_presenter_spec.rb
@@ -2,6 +2,8 @@
 
 module Refinery
   module Pages
+
+
     describe SectionPresenter do
       it "can build a css class for when it is not present based on id" do
         section = SectionPresenter.new(:fallback_html => 'foobar', :id => 'mynode')
@@ -45,6 +47,56 @@ module Pages
           expect(section.wrapped_html(true)).to xml_eq('<section id="mynode"><div class="inner">foobar</div></section>')
         end
 
+
+        # Regression tests for https://github.com/refinery/refinerycms-inquiries/issues/168
+        describe "#whitelist_elements" do
+          context "when an element is not in a whitelist" do
+            it "will not return those elements" do
+              allow(Refinery::Pages).to receive(:whitelist_elements) {%w()}
+              section = SectionPresenter.new
+              section.override_html = %Q{<dummy></dummy>}
+              expect(section.wrapped_html(true)).to xml_eq(
+                %Q{<section><div class="inner"></div></section>}
+              )
+            end
+          end
+
+          context "when an extra element is included in the whitelist" do
+            it "will contain the whitelisted element" do
+              allow(Refinery::Pages).to receive(:whitelist_elements) {%w(dummy)}
+              section = SectionPresenter.new
+              section.override_html = %Q{<dummy></dummy>}
+              expect(section.wrapped_html(true)).to xml_eq(
+                %Q{<section><div class="inner"><dummy></dummy></div></section>}
+              )
+            end
+          end
+        end
+
+        describe "#whitelist_attributes" do
+          context "when an attribute is not in a whitelist" do
+            it "will not return those attributes" do
+              allow(Refinery::Pages).to receive(:whitelist_attributes) {%w()}
+              section = SectionPresenter.new
+              section.override_html = %Q{<a attribute="value"></a>}
+              expect(section.wrapped_html(true)).to xml_eq(
+                %Q{<section><div class="inner"><a></a></div></section>}
+              )
+            end
+          end
+
+          context "when extra attributes are included in the whitelist" do
+            it "will contain the whitelisted attributes" do
+              allow(Refinery::Pages).to receive(:whitelist_attributes) {%w(attribute)}
+              section = SectionPresenter.new
+              section.override_html = %Q{<a attribute="value"></a>}
+              expect(section.wrapped_html(true)).to xml_eq(
+                %Q{<section><div class="inner"><a attribute="value"></a></div></section>}
+              )
+            end
+          end
+        end
+
         describe "if allowed to use fallback html" do
           it "wont show a section with no fallback or override" do
             section = SectionPresenter.new