diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-11-07 16:27:35 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-11-09 12:26:44 +0100 |
commit | a14ee68fe4815d2906ece670bcc333303fd3c816 (patch) | |
tree | bf472312b78036d29fe47476822c938d6c311173 /spec/lib/banzai | |
parent | bf061d0aff091a73611037b811cea2d3380962f4 (diff) | |
download | gitlab-ce-a14ee68fe4815d2906ece670bcc333303fd3c816.tar.gz |
Merge branch 'markdown-xss-fix-option-2.1' into 'security'
Fix for HackerOne XSS vulnerability in markdown
This is an updated blacklist patch to fix https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2007. No text is removed. Dangerous schemes/protocols and invalid URIs are left intact but not linked.
Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/23153
See merge request !2015
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'spec/lib/banzai')
-rw-r--r-- | spec/lib/banzai/filter/autolink_filter_spec.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/autolink_filter_spec.rb b/spec/lib/banzai/filter/autolink_filter_spec.rb index dca7f997570..a6d2ea11fcc 100644 --- a/spec/lib/banzai/filter/autolink_filter_spec.rb +++ b/spec/lib/banzai/filter/autolink_filter_spec.rb @@ -99,6 +99,28 @@ describe Banzai::Filter::AutolinkFilter, lib: true do expect(doc.at_css('a')['href']).to eq link end + it 'autolinks rdar' do + link = 'rdar://localhost.com/blah' + doc = filter("See #{link}") + + expect(doc.at_css('a').text).to eq link + expect(doc.at_css('a')['href']).to eq link + end + + it 'does not autolink javascript' do + link = 'javascript://alert(document.cookie);' + doc = filter("See #{link}") + + expect(doc.at_css('a')).to be_nil + end + + it 'does not autolink bad URLs' do + link = 'foo://23423:::asdf' + doc = filter("See #{link}") + + expect(doc.to_s).to eq("See #{link}") + end + it 'does not include trailing punctuation' do doc = filter("See #{link}.") expect(doc.at_css('a').text).to eq link |