Commit a3b68de7 authored by Douwe Maan's avatar Douwe Maan Committed by Robert Speicher

Merge branch 'rs-sanitize-unicode-in-protocol-9-5' into 'security-9-5'

[9.5] Prevent a persistent XSS in user-provided markup

See merge request gitlab/gitlabhq!2203
parent 28152b40
---
title: Prevent a persistent XSS in user-provided markup
merge_request:
author:
type: security
...@@ -73,9 +73,19 @@ module Banzai ...@@ -73,9 +73,19 @@ module Banzai
begin begin
uri = Addressable::URI.parse(node['href']) uri = Addressable::URI.parse(node['href'])
uri.scheme = uri.scheme.strip.downcase if uri.scheme
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) return unless uri.scheme
# Remove all invalid scheme characters before checking against the
# list of unsafe protocols.
#
# See https://tools.ietf.org/html/rfc3986#section-3.1
scheme = uri.scheme
.strip
.downcase
.gsub(/[^A-Za-z0-9\+\.\-]+/, '')
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme)
rescue Addressable::URI::InvalidURIError rescue Addressable::URI::InvalidURIError
node.remove_attribute('href') node.remove_attribute('href')
end end
......
...@@ -213,6 +213,11 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -213,6 +213,11 @@ describe Banzai::Filter::SanitizationFilter do
output: '<img>' output: '<img>'
}, },
'protocol-based JS injection: Unicode' => {
input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>),
output: '<a>foo</a>'
},
'protocol-based JS injection: spaces and entities' => { 'protocol-based JS injection: spaces and entities' => {
input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>', input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>',
output: '<a href="">foo</a>' output: '<a href="">foo</a>'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment