[master] Resolve "[Security] Stored XSS via KaTeX"

changelogs/unreleased/security-stored-xss-via-katex.yml

@@ -0,0 +1,5 @@
+---
+title: Fixed XSS content in KaTex links
+merge_request:
+author:
+type: security

spec/features/markdown/math_spec.rb

@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe 'Math rendering', :js do
+  let!(:project)   { create(:project, :public) }
+
   it 'renders inline and display math correctly' do
     description = <<~MATH
       This math is inline $`a^2+b^2=c^2`$.
@@ -11,7 +13,6 @@ describe 'Math rendering', :js do
       ```
     MATH
 
-    project = create(:project, :public)
     issue = create(:issue, project: project, description: description)
 
     visit project_issue_path(project, issue)
@@ -19,4 +20,19 @@ describe 'Math rendering', :js do
     expect(page).to have_selector('.katex .mord.mathdefault', text: 'b')
     expect(page).to have_selector('.katex-display .mord.mathdefault', text: 'b')
   end
+
+  it 'only renders non XSS links' do
+    description = <<~MATH
+      This link is valid $`\\href{javascript:alert('xss');}{xss}`$.
+
+      This link is valid $`\\href{https://gitlab.com}{Gitlab}`$.
+    MATH
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    expect(page).to have_selector('.katex-error', text: "\href{javascript:alert('xss');}{xss}")
+    expect(page).to have_selector('.katex-html a', text: 'Gitlab')
+  end
 end