Sanitize `vbscript:` links

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660
2016-02-23 20:40:31 -05:00 · 2016-02-23 20:40:31 -05:00 · 989946f337
parent 4225fd229f
commit 989946f337
2 changed files with 10 additions and 1 deletions
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@ -7,6 +7,8 @@ module Banzai
    #
    # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
    class SanitizationFilter < HTML::Pipeline::SanitizationFilter
+      UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze
+
      def whitelist
        whitelist = super

@ -62,7 +64,7 @@ module Banzai
          return unless node.name == 'a'
          return unless node.has_attribute?('href')

-          if node['href'].start_with?('javascript', ':javascript', 'data')
+          if node['href'].start_with?(*UNSAFE_PROTOCOLS)
            node.remove_attribute('href')
          end
        end
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@ -170,6 +170,13 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
      expect(output.to_html).to eq '<a>XSS</a>'
    end

+    it 'disallows vbscript links' do
+      input = '<a href="vbscript:alert(document.domain)">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
    it 'allows non-standard anchor schemes' do
      exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
      act = filter(exp)