diff options
author | Steve Azzopardi <sazzopardi@gitlab.com> | 2018-11-23 08:27:44 +0000 |
---|---|---|
committer | Steve Azzopardi <sazzopardi@gitlab.com> | 2018-11-23 08:27:44 +0000 |
commit | d90b1cd041b9d315d46f0dc11826b045f553023e (patch) | |
tree | c8b7b46ff03d63dc23b1cb03d34dd154da71f1e3 /lib | |
parent | f29122ec6d762623436abe5dbf992c9d00a04899 (diff) | |
parent | a975b51b48f0317f94cf6d3f35bddd0440294920 (diff) | |
download | gitlab-ce-d90b1cd041b9d315d46f0dc11826b045f553023e.tar.gz |
Merge branch 'security-11-5-xss-in-markdown-following-unrecognized-html-element' into 'security-11-5'
[11.5] XSS in markdown following unrecognized HTML element
See merge request gitlab/gitlabhq!2631
Diffstat (limited to 'lib')
-rw-r--r-- | lib/banzai/filter/spaced_link_filter.rb | 3 | ||||
-rw-r--r-- | lib/banzai/pipeline/gfm_pipeline.rb | 5 |
2 files changed, 7 insertions, 1 deletions
diff --git a/lib/banzai/filter/spaced_link_filter.rb b/lib/banzai/filter/spaced_link_filter.rb index a27f1d46863..c6a3a763c23 100644 --- a/lib/banzai/filter/spaced_link_filter.rb +++ b/lib/banzai/filter/spaced_link_filter.rb @@ -17,6 +17,9 @@ module Banzai # This is a small extension to the CommonMark spec. If they start allowing # spaces in urls, we could then remove this filter. # + # Note: Filter::SanitizationFilter should always be run sometime after this filter + # to prevent XSS attacks + # class SpacedLinkFilter < HTML::Pipeline::Filter include ActionView::Helpers::TagHelper diff --git a/lib/banzai/pipeline/gfm_pipeline.rb b/lib/banzai/pipeline/gfm_pipeline.rb index be75e34a673..96bea7ca935 100644 --- a/lib/banzai/pipeline/gfm_pipeline.rb +++ b/lib/banzai/pipeline/gfm_pipeline.rb @@ -12,13 +12,16 @@ module Banzai def self.filters @filters ||= FilterArray[ Filter::PlantumlFilter, + + # Must always be before the SanitizationFilter to prevent XSS attacks + Filter::SpacedLinkFilter, + Filter::SanitizationFilter, Filter::SyntaxHighlightFilter, Filter::MathFilter, Filter::ColorFilter, Filter::MermaidFilter, - Filter::SpacedLinkFilter, Filter::VideoLinkFilter, Filter::ImageLazyLoadFilter, Filter::ImageLinkFilter, |