Sanitize data: links

Closes #13625

lib/banzai/filter/sanitization_filter.rb

@@ -43,8 +43,8 @@ module Banzai
         # Allow any protocol in `a` elements...
         whitelist[:protocols].delete('a')
 
-        # ...but then remove links with the `javascript` protocol
+        # ...but then remove links with unsafe protocols
-        whitelist[:transformers].push(remove_javascript_links)
+        whitelist[:transformers].push(remove_unsafe_links)
 
         # Remove `rel` attribute from `a` elements
         whitelist[:transformers].push(remove_rel)
@@ -55,14 +55,14 @@ module Banzai
         whitelist
       end
 
-      def remove_javascript_links
+      def remove_unsafe_links
         lambda do |env|
           node = env[:node]
 
           return unless node.name == 'a'
           return unless node.has_attribute?('href')
 
-          if node['href'].start_with?('javascript', ':javascript')
+          if node['href'].start_with?('javascript', ':javascript', 'data')
             node.remove_attribute('href')
           end
         end

spec/lib/banzai/filter/sanitization_filter_spec.rb

@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
     }
 
     protocols.each do |name, data|
-      it "handles #{name}" do
+      it "disallows #{name}" do
         doc = filter(data[:input])
 
         expect(doc.to_html).to eq data[:output]
       end
     end
 
+    it 'disallows data links' do
+      input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
     it 'allows non-standard anchor schemes' do
       exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
       act = filter(exp)