From 9b09856e7b853146ac4ff03d388f7063e6f0efbd Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Wed, 30 Aug 2017 17:34:34 +0000
Subject: Merge branch 'rs-issue-36104' into 'security-9-5'

[9.5] Disallow the `name` attribute on all user-provided markup

See merge request gitlab/gitlabhq!2166
---
 app/views/projects/blob/viewers/_route_map.html.haml         |  2 +-
 app/views/projects/blob/viewers/_route_map_loading.html.haml |  2 +-
 changelogs/unreleased/rs-issue-36104.yml                     |  4 ++++
 doc/ci/environments.md                                       |  3 +--
 doc/install/database_mysql.md                                |  3 +--
 lib/banzai/filter/sanitization_filter.rb                     |  3 +++
 spec/features/copy_as_gfm_spec.rb                            |  2 --
 spec/lib/banzai/filter/sanitization_filter_spec.rb           | 12 ++++++++++++
 8 files changed, 23 insertions(+), 8 deletions(-)
 create mode 100644 changelogs/unreleased/rs-issue-36104.yml

diff --git a/app/views/projects/blob/viewers/_route_map.html.haml b/app/views/projects/blob/viewers/_route_map.html.haml
index d0fcd55f6c1..6d6bd79bc3c 100644
--- a/app/views/projects/blob/viewers/_route_map.html.haml
+++ b/app/views/projects/blob/viewers/_route_map.html.haml
@@ -6,4 +6,4 @@
   This Route Map is invalid:
   = viewer.validation_message
 
-= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map')
+= link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment')
diff --git a/app/views/projects/blob/viewers/_route_map_loading.html.haml b/app/views/projects/blob/viewers/_route_map_loading.html.haml
index 2318cf82f58..a5f73fb0197 100644
--- a/app/views/projects/blob/viewers/_route_map_loading.html.haml
+++ b/app/views/projects/blob/viewers/_route_map_loading.html.haml
@@ -1,4 +1,4 @@
 = icon('spinner spin fw')
 Validating Route Map…
 
-= link_to 'Learn more', help_page_path('ci/environments', anchor: 'route-map')
+= link_to 'Learn more', help_page_path('ci/environments', anchor: 'go-directly-from-source-files-to-public-pages-on-the-environment')
diff --git a/changelogs/unreleased/rs-issue-36104.yml b/changelogs/unreleased/rs-issue-36104.yml
new file mode 100644
index 00000000000..b050cd83175
--- /dev/null
+++ b/changelogs/unreleased/rs-issue-36104.yml
@@ -0,0 +1,4 @@
+---
+title: Disallow the `name` attribute on all user-provided markup
+merge_request:
+author:
diff --git a/doc/ci/environments.md b/doc/ci/environments.md
index cbf06afa294..c1362b7bd5b 100644
--- a/doc/ci/environments.md
+++ b/doc/ci/environments.md
@@ -446,8 +446,7 @@ and/or `production`) you can see this information in the merge request itself.
 
 ![Environment URLs in merge request](img/environments_link_url_mr.png)
 
-### <a name="route-map"></a>Go directly from source files to public pages on the environment
-
+### Go directly from source files to public pages on the environment
 
 > Introduced in GitLab 8.17.
 
diff --git a/doc/install/database_mysql.md b/doc/install/database_mysql.md
index bc75dc1447e..5c128f54a76 100644
--- a/doc/install/database_mysql.md
+++ b/doc/install/database_mysql.md
@@ -75,7 +75,7 @@ log_bin_trust_function_creators=1
 
 ### MySQL utf8mb4 support
 
-After installation or upgrade, remember to [convert any new tables](#convert) to `utf8mb4`/`utf8mb4_general_ci`.
+After installation or upgrade, remember to [convert any new tables](#tables-and-data-conversion-to-utf8mb4) to `utf8mb4`/`utf8mb4_general_ci`.
 
 ---
 
@@ -230,7 +230,6 @@ We need to check, enable and probably convert your existing GitLab DB tables to
 > Now, ensure that [innodb_file_format](https://dev.mysql.com/doc/refman/5.6/en/tablespace-enabling.html) and [innodb_large_prefix](http://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_large_prefix) are **persisted** in your `my.cnf` file.
 
 #### Tables and data conversion to utf8mb4
-<a name="convert"></a>
 
 Now that you have a persistent MySQL setup, you can safely upgrade tables after setup or upgrade time:
 
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 768baa4e227..9923ec4e870 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -45,6 +45,9 @@ module Banzai
         whitelist[:elements].push('abbr')
         whitelist[:attributes]['abbr'] = %w(title)
 
+        # Disallow `name` attribute globally
+        whitelist[:attributes][:all].delete('name')
+
         # Allow any protocol in `a` elements...
         whitelist[:protocols].delete('a')
 
diff --git a/spec/features/copy_as_gfm_spec.rb b/spec/features/copy_as_gfm_spec.rb
index 3e6a27eafd8..dfeba722ac6 100644
--- a/spec/features/copy_as_gfm_spec.rb
+++ b/spec/features/copy_as_gfm_spec.rb
@@ -288,8 +288,6 @@ describe 'Copy as GFM', js: true do
         'SanitizationFilter',
 
         <<-GFM.strip_heredoc
-        <a name="named-anchor"></a>
-
         <sub>sub</sub>
 
         <dl>
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 659b4460fc3..01ceb21dfaa 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -101,6 +101,18 @@ describe Banzai::Filter::SanitizationFilter do
       expect(filter(act).to_html).to eq exp
     end
 
+    it 'disallows the `name` attribute globally' do
+      html = <<~HTML
+        <img name="getElementById" src="">
+        <span name="foo" class="bar">Hi</span>
+      HTML
+
+      doc = filter(html)
+
+      expect(doc.at_css('img')).not_to have_attribute('name')
+      expect(doc.at_css('span')).not_to have_attribute('name')
+    end
+
     it 'allows `summary` elements' do
       exp = act = '<summary>summary line</summary>'
       expect(filter(act).to_html).to eq exp
-- 
cgit v1.2.1