Sanitize `vbscript:` links

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660

Sanitize `vbscript:` links
Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660
989946f3 · Robert Speicher · 4225fd22 · 989946f3 · 989946f3
Commit 989946f3 authored Feb 23, 2016 by Robert Speicher
Showing with 10 additions and 1 deletion

lib/banzai/filter/sanitization_filter.rb lib/banzai/filter/sanitization_filter.rb +3 -1

spec/lib/banzai/filter/sanitization_filter_spec.rb spec/lib/banzai/filter/sanitization_filter_spec.rb +7 -0

No files found.
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -7,6 +7,8 @@ module Banzai
    #
    # Extends HTML::Pipeline::SanitizationFilter with a custom whitelist.
    class SanitizationFilter < HTML::Pipeline::SanitizationFilter
+      UNSAFE_PROTOCOLS = %w(javascript :javascript data vbscript).freeze
+
      def whitelist
        whitelist = super

@@ -62,7 +64,7 @@ module Banzai
          return unless node.name == 'a'
          return unless node.has_attribute?('href')

-          if node['href'].start_with?('javascript', ':javascript', 'data')
+          if node['href'].start_with?(*UNSAFE_PROTOCOLS)
            node.remove_attribute('href')
          end
        end

--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -170,6 +170,13 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
      expect(output.to_html).to eq '<a>XSS</a>'
    end

+    it 'disallows vbscript links' do
+      input = '<a href="vbscript:alert(document.domain)">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
    it 'allows non-standard anchor schemes' do
      exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
      act = filter(exp)