diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-06-19 23:01:22 +0000 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-06-20 15:59:46 -0500 |
commit | 3d1ce820dffc29d20dd3ecba4c4c38dd19a80d87 (patch) | |
tree | fdf837a785a96c85dc65b27f2c79cdaa8bcd3af3 | |
parent | c3912edd73bd9339e5ef6993d386351d0b98f5bc (diff) | |
download | gitlab-ce-3d1ce820dffc29d20dd3ecba4c4c38dd19a80d87.tar.gz |
Merge branch 'security-2682-fix-xss-for-markdown-toc-10-7' into 'security-10-7'
[10.7] Fix xss for Markdown elements where [[_TOC_]] is enabled
See merge request gitlab/gitlabhq!2406
-rw-r--r-- | changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml | 5 | ||||
-rw-r--r-- | lib/banzai/filter/table_of_contents_filter.rb | 2 | ||||
-rw-r--r-- | spec/lib/banzai/filter/table_of_contents_filter_spec.rb | 9 |
3 files changed, 15 insertions, 1 deletions
diff --git a/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml b/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml new file mode 100644 index 00000000000..f595678c3c2 --- /dev/null +++ b/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml @@ -0,0 +1,5 @@ +--- +title: Fix XSS vulnerability for table of content generation +merge_request: +author: +type: security diff --git a/lib/banzai/filter/table_of_contents_filter.rb b/lib/banzai/filter/table_of_contents_filter.rb index 97244159985..b32660a8341 100644 --- a/lib/banzai/filter/table_of_contents_filter.rb +++ b/lib/banzai/filter/table_of_contents_filter.rb @@ -92,7 +92,7 @@ module Banzai def text return '' unless node - @text ||= node.text + @text ||= EscapeUtils.escape_html(node.text) end private diff --git a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb index 0cfef4ff5bf..7213cd58ea7 100644 --- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb +++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb @@ -139,5 +139,14 @@ describe Banzai::Filter::TableOfContentsFilter do expect(items[5].ancestors).to include(items[4]) end end + + context 'header text contains escaped content' do + let(:content) { '<img src="x" onerror="alert(42)">' } + let(:results) { result(header(1, content)) } + + it 'outputs escaped content' do + expect(doc.inner_html).to include(content) + end + end end end |