diff options
| author | Stan Hu <stanhu@gmail.com> | 2016-10-21 22:18:23 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2016-10-21 22:18:23 -0700 |
| commit | 2289ee1cdde87001d3a458aae2a91679b29a3c63 (patch) | |
| tree | b86599b38203a4ca2084c0e4ef3a9be1daee4349 | |
| parent | 1a7926cad9e039db496bd2dbfc418ef32c423a05 (diff) | |
| download | gitlab-ce-2289ee1cdde87001d3a458aae2a91679b29a3c63.tar.gz | |
Revert "Merge branch 'markdown-xss-fix-option-2' into 'security'
This reverts commit eb54c711a0c43f768cd46aa2cc1b00f9a9c9a078.
| -rw-r--r-- | lib/banzai/filter/autolink_filter.rb | 13 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/autolink_filter_spec.rb | 22 |
2 files changed, 0 insertions, 35 deletions
diff --git a/lib/banzai/filter/autolink_filter.rb b/lib/banzai/filter/autolink_filter.rb index f076d59d259..799b83b1069 100644 --- a/lib/banzai/filter/autolink_filter.rb +++ b/lib/banzai/filter/autolink_filter.rb @@ -71,11 +71,6 @@ module Banzai @doc = parse_html(rinku) end - # Return true if any of the UNSAFE_PROTOCOLS strings are included in the URI scheme - def contains_unsafe?(scheme) - Banzai::Filter::SanitizationFilter::UNSAFE_PROTOCOLS.any? { |protocol| scheme.include?(protocol) } - end - # Autolinks any text matching LINK_PATTERN that Rinku didn't already # replace def text_parse @@ -84,14 +79,6 @@ module Banzai next unless content.match(LINK_PATTERN) - begin - uri = Addressable::URI.parse(content) - uri.scheme = uri.scheme.strip.downcase if uri.scheme - next if contains_unsafe?(uri.scheme) - rescue Addressable::URI::InvalidURIError - next - end - html = autolink_filter(content) next if html == content diff --git a/spec/lib/banzai/filter/autolink_filter_spec.rb b/spec/lib/banzai/filter/autolink_filter_spec.rb index 6d3dd49e780..dca7f997570 100644 --- a/spec/lib/banzai/filter/autolink_filter_spec.rb +++ b/spec/lib/banzai/filter/autolink_filter_spec.rb @@ -99,28 +99,6 @@ describe Banzai::Filter::AutolinkFilter, lib: true do expect(doc.at_css('a')['href']).to eq link end - it 'autolinks rdar' do - link = 'rdar://localhost.com/blah' - doc = filter("See #{link}") - - expect(doc.at_css('a').text).to eq link - expect(doc.at_css('a')['href']).to eq link - end - - it 'does not autolink javascript' do - link = 'javascript://alert(document.cookie);' - doc = filter("See #{link}") - - expect(doc.to_s).not_to include('href="javascript://') - end - - it 'does not autolink bad URLs' do - link = 'foo://23423:::asdf' - doc = filter("See #{link}") - - expect(doc.to_s).to eq("See #{link}") - end - it 'does not include trailing punctuation' do doc = filter("See #{link}.") expect(doc.at_css('a').text).to eq link |