From d39d2b9352c80a77dc301d22b11a9e1af9e21ed2 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 2 Mar 2018 14:51:50 +1100
Subject: [PATCH] FEATURE: whitelist data for themes

---
 app/assets/javascripts/pretty-text/white-lister.js.es6 | 7 ++++++-
 spec/components/pretty_text_spec.rb                    | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/pretty-text/white-lister.js.es6 b/app/assets/javascripts/pretty-text/white-lister.js.es6
index 6dd1523f53e..8e00d76a7b9 100644
--- a/app/assets/javascripts/pretty-text/white-lister.js.es6
+++ b/app/assets/javascripts/pretty-text/white-lister.js.es6
@@ -137,7 +137,12 @@ const DEFAULT_LIST = [
   'div.quote-controls',
   'div.title',
   'div[align]',
-  'div[data-theme-*]',
+  'div[data-*]', /* This may seem a bit much but polls does
+                    it anyway and this is needed for themes,
+                    special code in sanitizer handles data-*
+                    nothing exists for data-theme-* and we
+                    don't want to slow sanitize for this case
+                  */
   'div[dir]',
   'dl',
   'dt',
diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb
index 6ad2340ed68..347f035e95f 100644
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@@ -1262,4 +1262,9 @@ HTML
     HTML
   end
 
+  it "has a proper data whitlist on div" do
+    cooked = PrettyText.cook("<div data-theme-a='a'>test</div>")
+    expect(cooked).to include("data-theme-a")
+  end
+
 end