diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-05-09 22:18:38 +0000 |
|---|---|---|
| committer | Yorick Peterse <yorickpeterse@gmail.com> | 2016-05-11 11:06:31 +0200 |
| commit | 5ec434706727b279f55eff4875bf76de48dd1735 (patch) | |
| tree | 75896e07227be5333fde844d035c1ee806ec939a | |
| parent | 96461d4764311dbe64173ea6ff839e087487b5ca (diff) | |
| download | gitlab-ce-5ec434706727b279f55eff4875bf76de48dd1735.tar.gz | |
Merge branch 'xss-case-insensitive-protocol' into 'master'
Use a case-insensitive check to compare URI schemes
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17299
See merge request !1965
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | lib/banzai/filter/sanitization_filter.rb | 2 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 6 |
3 files changed, 8 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index 6571e464e6f..17e9c27eb99 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 8.8.0 (unreleased) - Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen) + - Use a case-insensitive comparison in sanitizing URI schemes - Project#open_branches has been cleaned up and no longer loads entire records into memory. - Escape HTML in commit titles in system note messages - Improve multiple branch push performance by memoizing permission checking diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb index 42dbab9d27e..ca80aac5a08 100644 --- a/lib/banzai/filter/sanitization_filter.rb +++ b/lib/banzai/filter/sanitization_filter.rb @@ -63,7 +63,7 @@ module Banzai begin uri = Addressable::URI.parse(node['href']) - uri.scheme.strip! if uri.scheme + uri.scheme = uri.scheme.strip.downcase if uri.scheme node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) rescue Addressable::URI::InvalidURIError diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 27ce312b11c..b38e3b17e64 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -22,6 +22,12 @@ describe Banzai::Filter::SanitizationFilter, lib: true do expect(filter(act).to_html).to eq exp end + it 'sanitizes mixed-cased javascript in attributes' do + act = %q(<a href="javaScript:alert('foo')">Text</a>) + exp = '<a>Text</a>' + expect(filter(act).to_html).to eq exp + end + it 'allows whitelisted HTML tags from the user' do exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>" expect(filter(act).to_html).to eq exp |