Skip to content

G
gitlab-ce
Commit 4225fd22 authored by Robert Speicher's avatar Robert Speicher
Browse files
Options

Sanitize `data:` links 

Closes #13625
parent 1367caa6
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 5 deletions
lib/banzai/filter/sanitization_filter.rb
View file @ 4225fd22
...@@ -43,8 +43,8 @@ module Banzai ...@@ -43,8 +43,8 @@ module Banzai
# Allow any protocol in `a` elements... # Allow any protocol in `a` elements...
whitelist[:protocols].delete('a') whitelist[:protocols].delete('a')
# ...but then remove links with the `javascript` protocol # ...but then remove links with unsafe protocols
whitelist[:transformers].push(remove_javascript_links) whitelist[:transformers].push(remove_unsafe_links)
# Remove `rel` attribute from `a` elements # Remove `rel` attribute from `a` elements
whitelist[:transformers].push(remove_rel) whitelist[:transformers].push(remove_rel)
...@@ -55,14 +55,14 @@ module Banzai ...@@ -55,14 +55,14 @@ module Banzai
whitelist whitelist
end end
def remove_javascript_links def remove_unsafe_links
lambda do |env| lambda do |env|
node = env[:node] node = env[:node]
return unless node.name == 'a' return unless node.name == 'a'
return unless node.has_attribute?('href') return unless node.has_attribute?('href')
if node['href'].start_with?('javascript', ':javascript') if node['href'].start_with?('javascript', ':javascript', 'data')
node.remove_attribute('href') node.remove_attribute('href')
end end
end end
......
spec/lib/banzai/filter/sanitization_filter_spec.rb
View file @ 4225fd22
...@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do ...@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
} }
protocols.each do |name, data| protocols.each do |name, data|
it "handles #{name}" do it "disallows #{name}" do
doc = filter(data[:input]) doc = filter(data[:input])
expect(doc.to_html).to eq data[:output] expect(doc.to_html).to eq data[:output]
end end
end end
it 'disallows data links' do
input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
output = filter(input)
expect(output.to_html).to eq '<a>XSS</a>'
end
it 'allows non-standard anchor schemes' do it 'allows non-standard anchor schemes' do
exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>} exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
act = filter(exp) act = filter(exp)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7