Skip to content

G
gitlab-ce
Commit 4225fd22 authored by Robert Speicher's avatar Robert Speicher
Browse files
Options

Sanitize `data:` links 

Closes #13625
parent 1367caa6
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 5 deletions
lib/banzai/filter/sanitization_filter.rb
View file @ 4225fd22
......@@ -43,8 +43,8 @@ module Banzai
# Allow any protocol in `a` elements...
whitelist[:protocols].delete('a')
# ...but then remove links with the `javascript` protocol
whitelist[:transformers].push(remove_javascript_links)
# ...but then remove links with unsafe protocols
whitelist[:transformers].push(remove_unsafe_links)
# Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel)
......@@ -55,14 +55,14 @@ module Banzai
whitelist
end
def remove_javascript_links
def remove_unsafe_links
lambda do |env|
node = env[:node]
return unless node.name == 'a'
return unless node.has_attribute?('href')
if node['href'].start_with?('javascript', ':javascript')
if node['href'].start_with?('javascript', ':javascript', 'data')
node.remove_attribute('href')
end
end
......
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file @ 4225fd22
......@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
}
protocols.each do |name, data|
it "handles #{name}" do
it "disallows #{name}" do
doc = filter(data[:input])
expect(doc.to_html).to eq data[:output]
end
end
it 'disallows data links' do
input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
output = filter(input)
expect(output.to_html).to eq '<a>XSS</a>'
end
it 'allows non-standard anchor schemes' do
exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
act = filter(exp)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7