Merge branch 'xss-case-insensitive-protocol' into 'master'

Use a case-insensitive check to compare URI schemes

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17299

See merge request !1965

CHANGELOG

@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.8.0 (unreleased)
   - Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
+  - Use a case-insensitive comparison in sanitizing URI schemes
   - Project#open_branches has been cleaned up and no longer loads entire records into memory.
   - Escape HTML in commit titles in system note messages
   - Improve multiple branch push performance by memoizing permission checking

lib/banzai/filter/sanitization_filter.rb

@@ -63,7 +63,7 @@ module Banzai
 
           begin
             uri = Addressable::URI.parse(node['href'])
-            uri.scheme.strip! if uri.scheme
+            uri.scheme = uri.scheme.strip.downcase if uri.scheme
 
             node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
           rescue Addressable::URI::InvalidURIError

spec/lib/banzai/filter/sanitization_filter_spec.rb

@@ -22,6 +22,12 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
       expect(filter(act).to_html).to eq exp
     end
 
+    it 'sanitizes mixed-cased javascript in attributes' do
+      act = %q(<a href="javaScript:alert('foo')">Text</a>)
+      exp = '<a>Text</a>'
+      expect(filter(act).to_html).to eq exp
+    end
+
     it 'allows whitelisted HTML tags from the user' do
       exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>"
       expect(filter(act).to_html).to eq exp