Merge branch 'security-xss-in-markdown-following-unrecognized-html-element' into 'master'

[master] XSS in markdown following unrecognized HTML element Closes #2732 See merge request gitlab/gitlabhq!2599
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:02:01 +0000
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:09:35 -0500
commit: b5b475c273aca6aee13f628507cef9f077281a02 (patch)
tree: 4b7350033cba6765fc7638ac2864cdef7610cdbc /lib/banzai/filter/spaced_link_filter.rb
parent: c4bb0a116efb8d95dcf7edd92424795ea919660f (diff)
download: gitlab-ce-b5b475c273aca6aee13f628507cef9f077281a02.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/banzai/filter/spaced_link_filter.rb b/lib/banzai/filter/spaced_link_filter.rb
index a27f1d46863..c6a3a763c23 100644
--- a/lib/banzai/filter/spaced_link_filter.rb
+++ b/lib/banzai/filter/spaced_link_filter.rb
@@ -17,6 +17,9 @@ module Banzai
     # This is a small extension to the CommonMark spec.  If they start allowing
     # spaces in urls, we could then remove this filter.
     #
+    # Note: Filter::SanitizationFilter should always be run sometime after this filter
+    # to prevent XSS attacks
+    #
     class SpacedLinkFilter < HTML::Pipeline::Filter
       include ActionView::Helpers::TagHelper
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:02:01 +0000
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:09:35 -0500
commit	b5b475c273aca6aee13f628507cef9f077281a02 (patch)
tree	4b7350033cba6765fc7638ac2864cdef7610cdbc /lib/banzai/filter/spaced_link_filter.rb
parent	c4bb0a116efb8d95dcf7edd92424795ea919660f (diff)
download	gitlab-ce-b5b475c273aca6aee13f628507cef9f077281a02.tar.gz