diff --git a/app/assets/javascripts/issue_show/components/description.vue b/app/assets/javascripts/issue_show/components/description.vue
index 0812392f8049a6b148dd87cbd0186f61444517bc..4c6a1478e950e71c85a55987a07705fb43c07740 100644
--- a/app/assets/javascripts/issue_show/components/description.vue
+++ b/app/assets/javascripts/issue_show/components/description.vue
@@ -123,6 +123,7 @@ export default {
}
},
},
+ safeHtmlConfig: { ADD_TAGS: ['gl-emoji'] },
};
</script>
@@ -136,7 +137,7 @@ export default {
>
<div
ref="gfm-content"
- v-safe-html="descriptionHtml"
+ v-safe-html:[$options.safeHtmlConfig]="descriptionHtml"
:class="{
'issue-realtime-pre-pulse': preAnimation,
'issue-realtime-trigger-pulse': pulseAnimation,
diff --git a/app/assets/javascripts/lib/dompurify.js b/app/assets/javascripts/lib/dompurify.js
index ff51236435609b4e85227277153d6b3a1ddf77a0..d421d66981e2675d007ad4511da583725726860f 100644
--- a/app/assets/javascripts/lib/dompurify.js
+++ b/app/assets/javascripts/lib/dompurify.js
@@ -3,7 +3,7 @@ import { getBaseURL, relativePathToAbsolute } from '~/lib/utils/url_utility';
const defaultConfig = {
// Safely allow SVG <use> tags
- ADD_TAGS: ['use'],
+ ADD_TAGS: ['use', 'gl-emoji'],
// Prevent possible XSS attacks with data-* attributes used by @rails/ujs
// See https://gitlab.com/gitlab-org/gitlab-ui/-/issues/1421
FORBID_ATTR: ['data-remote', 'data-url', 'data-type', 'data-method'],
diff --git a/spec/features/issues/issue_detail_spec.rb b/spec/features/issues/issue_detail_spec.rb
index a942a1a44f63463daa5e487e8982796aa62af459..531c3634b5e3dca56806fbde326bcbd5371ed3b9 100644
--- a/spec/features/issues/issue_detail_spec.rb
+++ b/spec/features/issues/issue_detail_spec.rb
@@ -32,6 +32,21 @@
end
end
+ context 'when issue description has emojis' do
+ let(:issue) { create(:issue, project: project, author: user, description: 'hello world :100:') }
+
+ before do
+ sign_in(user)
+ visit project_issue_path(project, issue)
+ end
+
+ it 'renders gl-emoji tag' do
+ page.within('.description') do
+ expect(page).to have_selector('gl-emoji', count: 1)
+ end
+ end
+ end
+
context 'when issue description has xss snippet' do
before do
issue.update!(description: '')
diff --git a/spec/frontend/lib/dompurify_spec.js b/spec/frontend/lib/dompurify_spec.js
index 696e2ba6e137fc83e3c7d1bea13fe417401ebd17..324441fa2c9dbd3f63fe98c222e177da58991907 100644
--- a/spec/frontend/lib/dompurify_spec.js
+++ b/spec/frontend/lib/dompurify_spec.js
@@ -65,6 +65,10 @@ describe('~/lib/dompurify', () => {
expect(sanitize(htmlXlink)).toBe(htmlXlink);
});
+ it("doesn't sanitize gl-emoji", () => {
+ expect(sanitize('<p><gl-emoji>💯</gl-emoji></p>')).toBe('<p><gl-emoji>💯</gl-emoji></p>');
+ });
+
describe.each`
type | gon
${'root'} | ${rootGon}