BigW Consortium Gitlab

Commit 59948731 by Douwe Maan Committed by Stan Hu

Merge branch 'rs-sanitize-unicode-in-protocol' into 'security-10-0'

[10.0] Prevent a persistent XSS in user-provided markup See merge request gitlab/gitlabhq!2199
parent e4884d9d
---
title: Prevent a persistent XSS in user-provided markup
merge_request:
author:
type: security
...@@ -75,9 +75,19 @@ module Banzai ...@@ -75,9 +75,19 @@ module Banzai
begin begin
node['href'] = node['href'].strip node['href'] = node['href'].strip
uri = Addressable::URI.parse(node['href']) uri = Addressable::URI.parse(node['href'])
uri.scheme = uri.scheme.downcase if uri.scheme
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme) return unless uri.scheme
# Remove all invalid scheme characters before checking against the
# list of unsafe protocols.
#
# See https://tools.ietf.org/html/rfc3986#section-3.1
scheme = uri.scheme
.strip
.downcase
.gsub(/[^A-Za-z0-9\+\.\-]+/, '')
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(scheme)
rescue Addressable::URI::InvalidURIError rescue Addressable::URI::InvalidURIError
node.remove_attribute('href') node.remove_attribute('href')
end end
......
...@@ -217,6 +217,11 @@ describe Banzai::Filter::SanitizationFilter do ...@@ -217,6 +217,11 @@ describe Banzai::Filter::SanitizationFilter do
output: '<img>' output: '<img>'
}, },
'protocol-based JS injection: Unicode' => {
input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>),
output: '<a>foo</a>'
},
'protocol-based JS injection: spaces and entities' => { 'protocol-based JS injection: spaces and entities' => {
input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>', input: '<a href=" &#14; javascript:alert(\'XSS\');">foo</a>',
output: '<a href="">foo</a>' output: '<a href="">foo</a>'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment