Commit 65d6dcdb authored by Douwe Maan's avatar Douwe Maan

Merge branch 'rs-sanitize-unicode-in-protocol-9-5' into 'security-9-5'

[9.5] Prevent a persistent XSS in user-provided markup

See merge request gitlab/gitlabhq!2203
parents f1de9aa2 3d55b49a
---
title: Prevent a persistent XSS in user-provided markup
merge_request:
author:
type: security
......@@ -73,9 +73,19 @@ module Banzai
begin
uri = Addressable::URI.parse(node['href'])
uri.scheme = uri.scheme.strip.downcase if uri.scheme
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
return unless uri.scheme
# Remove all invalid scheme characters before checking against the
# list of unsafe protocols.
#
# See https://tools.ietf.org/html/rfc3986#section-3.1
scheme = uri.scheme
.strip
.downcase
.gsub(/[^A-Za-z0-9\+\.\-]+/, '')
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme)
rescue Addressable::URI::InvalidURIError
node.remove_attribute('href')
end
......
......@@ -213,6 +213,11 @@ describe Banzai::Filter::SanitizationFilter do
output: '<img>'
},
'protocol-based JS injection: Unicode' => {
input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>),
output: '<a>foo</a>'
},
'protocol-based JS injection: spaces and entities' => {
input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>',
output: '<a href="">foo</a>'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment