From 989946f33717685065812d72e9ed4490fe969104 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Tue, 23 Feb 2016 20:40:31 -0500 Subject: [PATCH] Sanitize `vbscript:` links Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660 --- lib/banzai/filter/sanitization_filter.rb | 4 +++- spec/lib/banzai/filter/sanitization_filter_spec.rb | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index c201ace8d35..abd79b329ae 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -7,6 +7,8 @@ module Banzai # # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist. class SanitizationFilter < HTML::Pipeline::SanitizationFilter + UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze + def whitelist whitelist = super @@ -62,7 +64,7 @@ module Banzai return unless node.name == 'a' return unless node.has_attribute?('href') - if node['href'].start_with?('javascript', ':javascript', 'data') + if node['href'].start_with?(*UNSAFE_PROTOCOLS) node.remove_attribute('href') end end diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 247f492e6a9..4a7b00c7660 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -170,6 +170,13 @@ describe Banzai::Filter::SanitizationFilter, lib: true do expect(output.to_html).to eq 'XSS' end + it 'disallows vbscript links' do + input = 'XSS' + output = filter(input) + + expect(output.to_html).to eq 'XSS' + end + it 'allows non-standard anchor schemes' do exp = %q{IRC} act = filter(exp)