Commit 7e1f7a02 authored by Robert Speicher's avatar Robert Speicher Committed by Robert Speicher

Merge branch 'fix-rdoc-xss' into 'security'

Fix XSS in rdoc and other markups

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058
parent 33c8d413
---
title: Patch XSS vulnerability in RDOC support
merge_request:
author:
...@@ -17,6 +17,9 @@ module Gitlab ...@@ -17,6 +17,9 @@ module Gitlab
html = Banzai.post_process(html, context) html = Banzai.post_process(html, context)
filter = Banzai::Filter::SanitizationFilter.new(html)
html = filter.call.to_s
html.html_safe html.html_safe
end end
end end
......
require 'spec_helper'
describe Gitlab::OtherMarkup, lib: true do
context "XSS Checks" do
links = {
'links' => {
file: 'file.rdoc',
input: 'XSS[JaVaScriPt:alert(1)]',
output: '<p><a>XSS</a></p>'
}
}
links.each do |name, data|
it "does not convert dangerous #{name} into HTML" do
expect(render(data[:file], data[:input], context)).to eql data[:output]
end
end
end
def render(*args)
described_class.render(*args)
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment