parent
1367caa642
commit
4225fd229f
|
@ -43,8 +43,8 @@ module Banzai
|
|||
# Allow any protocol in `a` elements...
|
||||
whitelist[:protocols].delete('a')
|
||||
|
||||
# ...but then remove links with the `javascript` protocol
|
||||
whitelist[:transformers].push(remove_javascript_links)
|
||||
# ...but then remove links with unsafe protocols
|
||||
whitelist[:transformers].push(remove_unsafe_links)
|
||||
|
||||
# Remove `rel` attribute from `a` elements
|
||||
whitelist[:transformers].push(remove_rel)
|
||||
|
@ -55,14 +55,14 @@ module Banzai
|
|||
whitelist
|
||||
end
|
||||
|
||||
def remove_javascript_links
|
||||
def remove_unsafe_links
|
||||
lambda do |env|
|
||||
node = env[:node]
|
||||
|
||||
return unless node.name == 'a'
|
||||
return unless node.has_attribute?('href')
|
||||
|
||||
if node['href'].start_with?('javascript', ':javascript')
|
||||
if node['href'].start_with?('javascript', ':javascript', 'data')
|
||||
node.remove_attribute('href')
|
||||
end
|
||||
end
|
||||
|
|
|
@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
|
|||
}
|
||||
|
||||
protocols.each do |name, data|
|
||||
it "handles #{name}" do
|
||||
it "disallows #{name}" do
|
||||
doc = filter(data[:input])
|
||||
|
||||
expect(doc.to_html).to eq data[:output]
|
||||
end
|
||||
end
|
||||
|
||||
it 'disallows data links' do
|
||||
input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
|
||||
output = filter(input)
|
||||
|
||||
expect(output.to_html).to eq '<a>XSS</a>'
|
||||
end
|
||||
|
||||
it 'allows non-standard anchor schemes' do
|
||||
exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
|
||||
act = filter(exp)
|
||||
|
|
Loading…
Reference in New Issue