Commit 33c8d413 authored by Robert Speicher's avatar Robert Speicher Committed by Robert Speicher

Merge branch 'asciidoctor-xss-patch' into 'security'

Add sanitization filter to asciidocs output to prevent XSS

See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2057
parent 4ca6a719
---
title: Patch Asciidocs rendering to block XSS
merge_request:
author:
...@@ -36,6 +36,9 @@ module Gitlab ...@@ -36,6 +36,9 @@ module Gitlab
html = Banzai.post_process(html, context) html = Banzai.post_process(html, context)
filter = Banzai::Filter::SanitizationFilter.new(html)
html = filter.call.to_s
html.html_safe html.html_safe
end end
......
...@@ -41,6 +41,29 @@ module Gitlab ...@@ -41,6 +41,29 @@ module Gitlab
render(input, context, asciidoc_opts) render(input, context, asciidoc_opts)
end end
end end
context "XSS" do
links = {
'links' => {
input: 'link:mylink"onmouseover="alert(1)[Click Here]',
output: "<div>\n<p><a href=\"mylink\">Click Here</a></p>\n</div>"
},
'images' => {
input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]',
output: "<div>\n<p><span><img src=\"https://localhost.com/image.png\" alt=\"Alt text\"></span></p>\n</div>"
},
'pre' => {
input: '```mypre"><script>alert(3)</script>',
output: "<div>\n<div>\n<pre lang=\"mypre\">\"&gt;<code></code></pre>\n</div>\n</div>"
}
}
links.each do |name, data|
it "does not convert dangerous #{name} into HTML" do
expect(render(data[:input], context)).to eql data[:output]
end
end
end
end end
def render(*args) def render(*args)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment