summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2016-02-29 13:22:38 +0000
committerDouwe Maan <douwe@gitlab.com>2016-02-29 13:22:38 +0000
commitcd391b66e9d480c3143b63d32f893c6a1015f04e (patch)
tree8916890c65f15a7899b0abae5f50923fc568e934 /lib
parent2ea8f71bb42e63caf58ab285d0c4e483c2c4de19 (diff)
parent989946f33717685065812d72e9ed4490fe969104 (diff)
downloadgitlab-ce-cd391b66e9d480c3143b63d32f893c6a1015f04e.tar.gz
Merge branch 'rs-data-links' into 'master'
Sanitize `data` and `vbscript` links Closes #13625 Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660 See merge request !2905
Diffstat (limited to 'lib')
-rw-r--r--lib/banzai/filter/sanitization_filter.rb10
1 files changed, 6 insertions, 4 deletions
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 04ddfe53ed6..abd79b329ae 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -7,6 +7,8 @@ module Banzai
#
# Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
class SanitizationFilter < HTML::Pipeline::SanitizationFilter
+ UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze
+
def whitelist
whitelist = super
@@ -43,8 +45,8 @@ module Banzai
# Allow any protocol in `a` elements...
whitelist[:protocols].delete('a')
- # ...but then remove links with the `javascript` protocol
- whitelist[:transformers].push(remove_javascript_links)
+ # ...but then remove links with unsafe protocols
+ whitelist[:transformers].push(remove_unsafe_links)
# Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel)
@@ -55,14 +57,14 @@ module Banzai
whitelist
end
- def remove_javascript_links
+ def remove_unsafe_links
lambda do |env|
node = env[:node]
return unless node.name == 'a'
return unless node.has_attribute?('href')
- if node['href'].start_with?('javascript', ':javascript')
+ if node['href'].start_with?(*UNSAFE_PROTOCOLS)
node.remove_attribute('href')
end
end