Use a case-insensitive comparison in sanitizing URI schemes
Closes #1625
This commit is contained in:
parent
93b4a3a156
commit
849cc380d8
|
@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
|
|||
|
||||
v 8.8.0 (unreleased)
|
||||
- Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
|
||||
- Use a case-insensitive comparison in sanitizing URI schemes
|
||||
- Project#open_branches has been cleaned up and no longer loads entire records into memory.
|
||||
- Escape HTML in commit titles in system note messages
|
||||
- Improve multiple branch push performance by memoizing permission checking
|
||||
|
|
|
@ -63,7 +63,7 @@ module Banzai
|
|||
|
||||
begin
|
||||
uri = Addressable::URI.parse(node['href'])
|
||||
uri.scheme.strip! if uri.scheme
|
||||
uri.scheme = uri.scheme.strip.downcase if uri.scheme
|
||||
|
||||
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
|
||||
rescue Addressable::URI::InvalidURIError
|
||||
|
|
|
@ -22,6 +22,12 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
|
|||
expect(filter(act).to_html).to eq exp
|
||||
end
|
||||
|
||||
it 'sanitizes mixed-cased javascript in attributes' do
|
||||
act = %q(<a href="javaScript:alert('foo')">Text</a>)
|
||||
exp = '<a>Text</a>'
|
||||
expect(filter(act).to_html).to eq exp
|
||||
end
|
||||
|
||||
it 'allows whitelisted HTML tags from the user' do
|
||||
exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>"
|
||||
expect(filter(act).to_html).to eq exp
|
||||
|
|
Loading…
Reference in New Issue