Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
4225fd22
Commit
4225fd22
authored
Feb 21, 2016
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Sanitize `data:` links
Closes #13625
parent
1367caa6
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
12 additions
and
5 deletions
+12
-5
lib/banzai/filter/sanitization_filter.rb
lib/banzai/filter/sanitization_filter.rb
+4
-4
spec/lib/banzai/filter/sanitization_filter_spec.rb
spec/lib/banzai/filter/sanitization_filter_spec.rb
+8
-1
No files found.
lib/banzai/filter/sanitization_filter.rb
View file @
4225fd22
...
@@ -43,8 +43,8 @@ module Banzai
...
@@ -43,8 +43,8 @@ module Banzai
# Allow any protocol in `a` elements...
# Allow any protocol in `a` elements...
whitelist
[
:protocols
].
delete
(
'a'
)
whitelist
[
:protocols
].
delete
(
'a'
)
# ...but then remove links with
the `javascript` protocol
# ...but then remove links with
unsafe protocols
whitelist
[
:transformers
].
push
(
remove_
javascript
_links
)
whitelist
[
:transformers
].
push
(
remove_
unsafe
_links
)
# Remove `rel` attribute from `a` elements
# Remove `rel` attribute from `a` elements
whitelist
[
:transformers
].
push
(
remove_rel
)
whitelist
[
:transformers
].
push
(
remove_rel
)
...
@@ -55,14 +55,14 @@ module Banzai
...
@@ -55,14 +55,14 @@ module Banzai
whitelist
whitelist
end
end
def
remove_
javascript
_links
def
remove_
unsafe
_links
lambda
do
|
env
|
lambda
do
|
env
|
node
=
env
[
:node
]
node
=
env
[
:node
]
return
unless
node
.
name
==
'a'
return
unless
node
.
name
==
'a'
return
unless
node
.
has_attribute?
(
'href'
)
return
unless
node
.
has_attribute?
(
'href'
)
if
node
[
'href'
].
start_with?
(
'javascript'
,
':javascript'
)
if
node
[
'href'
].
start_with?
(
'javascript'
,
':javascript'
,
'data'
)
node
.
remove_attribute
(
'href'
)
node
.
remove_attribute
(
'href'
)
end
end
end
end
...
...
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file @
4225fd22
...
@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
...
@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
}
}
protocols
.
each
do
|
name
,
data
|
protocols
.
each
do
|
name
,
data
|
it
"
handle
s
#{
name
}
"
do
it
"
disallow
s
#{
name
}
"
do
doc
=
filter
(
data
[
:input
])
doc
=
filter
(
data
[
:input
])
expect
(
doc
.
to_html
).
to
eq
data
[
:output
]
expect
(
doc
.
to_html
).
to
eq
data
[
:output
]
end
end
end
end
it
'disallows data links'
do
input
=
'<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
output
=
filter
(
input
)
expect
(
output
.
to_html
).
to
eq
'<a>XSS</a>'
end
it
'allows non-standard anchor schemes'
do
it
'allows non-standard anchor schemes'
do
exp
=
%q{<a href="irc://irc.freenode.net/git">IRC</a>}
exp
=
%q{<a href="irc://irc.freenode.net/git">IRC</a>}
act
=
filter
(
exp
)
act
=
filter
(
exp
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment