Commit 2289ee1c authored by Stan Hu's avatar Stan Hu

Revert "Merge branch 'markdown-xss-fix-option-2' into 'security'

This reverts commit eb54c711.
parent 1a7926ca
......@@ -71,11 +71,6 @@ module Banzai
@doc = parse_html(rinku)
end
# Return true if any of the UNSAFE_PROTOCOLS strings are included in the URI scheme
def contains_unsafe?(scheme)
Banzai::Filter::SanitizationFilter::UNSAFE_PROTOCOLS.any? { |protocol| scheme.include?(protocol) }
end
# Autolinks any text matching LINK_PATTERN that Rinku didn't already
# replace
def text_parse
......@@ -84,14 +79,6 @@ module Banzai
next unless content.match(LINK_PATTERN)
begin
uri = Addressable::URI.parse(content)
uri.scheme = uri.scheme.strip.downcase if uri.scheme
next if contains_unsafe?(uri.scheme)
rescue Addressable::URI::InvalidURIError
next
end
html = autolink_filter(content)
next if html == content
......
......@@ -99,28 +99,6 @@ describe Banzai::Filter::AutolinkFilter, lib: true do
expect(doc.at_css('a')['href']).to eq link
end
it 'autolinks rdar' do
link = 'rdar://localhost.com/blah'
doc = filter("See #{link}")
expect(doc.at_css('a').text).to eq link
expect(doc.at_css('a')['href']).to eq link
end
it 'does not autolink javascript' do
link = 'javascript://alert(document.cookie);'
doc = filter("See #{link}")
expect(doc.to_s).not_to include('href="javascript://')
end
it 'does not autolink bad URLs' do
link = 'foo://23423:::asdf'
doc = filter("See #{link}")
expect(doc.to_s).to eq("See #{link}")
end
it 'does not include trailing punctuation' do
doc = filter("See #{link}.")
expect(doc.at_css('a').text).to eq link
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment