Sanitize vbscript: links

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660
This commit is contained in:
Robert Speicher 2016-02-23 20:40:31 -05:00
parent 4225fd229f
commit 989946f337
2 changed files with 10 additions and 1 deletions

View file

@ -7,6 +7,8 @@ module Banzai
#
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze
def whitelist
whitelist = super
@ -62,7 +64,7 @@ module Banzai
return unless node.name == 'a'
return unless node.has_attribute?('href')
if node['href'].start_with?('javascript', ':javascript', 'data')
if node['href'].start_with?(*UNSAFE_PROTOCOLS)
node.remove_attribute('href')
end
end

View file

@ -170,6 +170,13 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
expect(output.to_html).to eq '<a>XSS</a>'
end
it 'disallows vbscript links' do
input = '<a href="vbscript:alert(document.domain)">XSS</a>'
output = filter(input)
expect(output.to_html).to eq '<a>XSS</a>'
end
it 'allows non-standard anchor schemes' do
exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
act = filter(exp)