Do not use sanitize in url_blockerfix-sanitize-usage

- Encode the URLs instead to prevent the use of any special chars.

3 files changed, 6 insertions, 3 deletions

diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index 9c35d200dcb..631381001fe 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -156,9 +156,9 @@ module Gitlab
 
       def validate_html_tags(uri)
         uri_str = uri.to_s
-        sanitized_uri = ActionController::Base.helpers.sanitize(uri_str, tags: [])
+        sanitized_uri = Addressable::URI.encode(uri_str)
         if sanitized_uri != uri_str
-          raise BlockedUrlError, 'HTML/CSS/JS tags are not allowed'
+          raise BlockedUrlError, _('Special characters should be encoded')
         end
       end
 
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 61642fbbd59..ec552cbccae 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -10681,6 +10681,9 @@ msgstr ""
 msgid "Spam log successfully submitted as ham."
 msgstr ""
 
+msgid "Special characters should be encoded"
+msgstr ""
+
 msgid "Specific Runners"
 msgstr ""
 
diff --git a/spec/validators/addressable_url_validator_spec.rb b/spec/validators/addressable_url_validator_spec.rb
index 387e84b2d04..3f3621d9173 100644
--- a/spec/validators/addressable_url_validator_spec.rb
+++ b/spec/validators/addressable_url_validator_spec.rb
@@ -265,7 +265,7 @@ describe AddressableUrlValidator do
   context 'when enforce_sanitization is' do
     let(:validator) { described_class.new(attributes: [:link_url], enforce_sanitization: enforce_sanitization) }
     let(:unsafe_url) { "https://replaceme.com/'><script>alert(document.cookie)</script>" }
-    let(:safe_url) { 'https://replaceme.com/path/to/somewhere' }
+    let(:safe_url) { 'https://example.com/d?orgId=1&from=now-8h' }
 
     let(:unsafe_internal_url) do
       Gitlab.config.gitlab.protocol + '://' + Gitlab.config.gitlab.host +