Merge branch 'security-xss-in-markdown-following-unrecognized-html-element' into 'master'

[master] XSS in markdown following unrecognized HTML element Closes #2732 See merge request gitlab/gitlabhq!2599
author: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:02:01 +0000
committer: Cindy Pallares <cindy@gitlab.com> 2018-11-28 19:09:35 -0500
commit: b5b475c273aca6aee13f628507cef9f077281a02 (patch)
tree: 4b7350033cba6765fc7638ac2864cdef7610cdbc /spec/lib/banzai
parent: c4bb0a116efb8d95dcf7edd92424795ea919660f (diff)
download: gitlab-ce-b5b475c273aca6aee13f628507cef9f077281a02.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb b/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
index df24cef0b8b..91b0499375d 100644
--- a/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
+++ b/spec/lib/banzai/pipeline/gfm_pipeline_spec.rb
@@ -104,5 +104,17 @@ describe Banzai::Pipeline::GfmPipeline do
 
       expect(output).to include("src=\"test%20image.png\"")
     end
+
+    it 'sanitizes the fixed link' do
+      markdown_xss = "[xss](javascript: alert%28document.domain%29)"
+      output = described_class.to_html(markdown_xss, project: project)
+
+      expect(output).not_to include("javascript")
+
+      markdown_xss = "<invalidtag>\n[xss](javascript:alert%28document.domain%29)"
+      output = described_class.to_html(markdown_xss, project: project)
+
+      expect(output).not_to include("javascript")
+    end
   end
 end
author	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:02:01 +0000
committer	Cindy Pallares <cindy@gitlab.com>	2018-11-28 19:09:35 -0500
commit	b5b475c273aca6aee13f628507cef9f077281a02 (patch)
tree	4b7350033cba6765fc7638ac2864cdef7610cdbc /spec/lib/banzai
parent	c4bb0a116efb8d95dcf7edd92424795ea919660f (diff)
download	gitlab-ce-b5b475c273aca6aee13f628507cef9f077281a02.tar.gz