Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
3d55b49a
Commit
3d55b49a
authored
Sep 25, 2017
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Prevent a persistent XSS in user-provided markup
Closes
https://gitlab.com/gitlab-org/gitlab-ce/issues/38272
parent
31a79544
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
22 additions
and
2 deletions
+22
-2
changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml
changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml
+5
-0
lib/banzai/filter/sanitization_filter.rb
lib/banzai/filter/sanitization_filter.rb
+12
-2
spec/lib/banzai/filter/sanitization_filter_spec.rb
spec/lib/banzai/filter/sanitization_filter_spec.rb
+5
-0
No files found.
changelogs/unreleased/rs-sanitize-unicode-in-protocol.yml
0 → 100644
View file @
3d55b49a
---
title
:
Prevent a persistent XSS in user-provided markup
merge_request
:
author
:
type
:
security
lib/banzai/filter/sanitization_filter.rb
View file @
3d55b49a
...
...
@@ -73,9 +73,19 @@ module Banzai
begin
uri
=
Addressable
::
URI
.
parse
(
node
[
'href'
])
uri
.
scheme
=
uri
.
scheme
.
strip
.
downcase
if
uri
.
scheme
node
.
remove_attribute
(
'href'
)
if
UNSAFE_PROTOCOLS
.
include?
(
uri
.
scheme
)
return
unless
uri
.
scheme
# Remove all invalid scheme characters before checking against the
# list of unsafe protocols.
#
# See https://tools.ietf.org/html/rfc3986#section-3.1
scheme
=
uri
.
scheme
.
strip
.
downcase
.
gsub
(
/[^A-Za-z0-9\+\.\-]+/
,
''
)
node
.
remove_attribute
(
'href'
)
if
UNSAFE_PROTOCOLS
.
include?
(
scheme
)
rescue
Addressable
::
URI
::
InvalidURIError
node
.
remove_attribute
(
'href'
)
end
...
...
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file @
3d55b49a
...
...
@@ -213,6 +213,11 @@ describe Banzai::Filter::SanitizationFilter do
output:
'<img>'
},
'protocol-based JS injection: Unicode'
=>
{
input:
%Q(<a href="
\u
0001java
\u
0003script:alert('XSS')">foo</a>)
,
output:
'<a>foo</a>'
},
'protocol-based JS injection: spaces and entities'
=>
{
input:
'<a href="  javascript:alert(\'XSS\');">foo</a>'
,
output:
'<a href="">foo</a>'
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment