Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
989946f3
Commit
989946f3
authored
Feb 23, 2016
by
Robert Speicher
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Sanitize `vbscript:` links
Closes
https://dev.gitlab.org/gitlab/gitlabhq/issues/2660
parent
4225fd22
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
10 additions
and
1 deletion
+10
-1
lib/banzai/filter/sanitization_filter.rb
lib/banzai/filter/sanitization_filter.rb
+3
-1
spec/lib/banzai/filter/sanitization_filter_spec.rb
spec/lib/banzai/filter/sanitization_filter_spec.rb
+7
-0
No files found.
lib/banzai/filter/sanitization_filter.rb
View file @
989946f3
...
...
@@ -7,6 +7,8 @@ module Banzai
#
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class
SanitizationFilter
<
HTML
::
Pipeline
::
SanitizationFilter
UNSAFE_PROTOCOLS
=
%w(javascript :javascript data vbscript)
.
freeze
def
whitelist
whitelist
=
super
...
...
@@ -62,7 +64,7 @@ module Banzai
return
unless
node
.
name
==
'a'
return
unless
node
.
has_attribute?
(
'href'
)
if
node
[
'href'
].
start_with?
(
'javascript'
,
':javascript'
,
'data'
)
if
node
[
'href'
].
start_with?
(
*
UNSAFE_PROTOCOLS
)
node
.
remove_attribute
(
'href'
)
end
end
...
...
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file @
989946f3
...
...
@@ -170,6 +170,13 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
expect
(
output
.
to_html
).
to
eq
'<a>XSS</a>'
end
it
'disallows vbscript links'
do
input
=
'<a href="vbscript:alert(document.domain)">XSS</a>'
output
=
filter
(
input
)
expect
(
output
.
to_html
).
to
eq
'<a>XSS</a>'
end
it
'allows non-standard anchor schemes'
do
exp
=
%q{<a href="irc://irc.freenode.net/git">IRC</a>}
act
=
filter
(
exp
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment