FIX: allowed href scheme link can start with a + (#5537)

* allowed href scheme link can start with a + * allow tel:// links only to start with + * add missing semicolon * add test
2018-01-30 01:02:23 +01:00 · 2018-01-30 01:02:23 +01:00 · 330912e1e5
parent f3502853fa
commit 330912e1e5
2 changed files with 14 additions and 0 deletions
--- a/app/assets/javascripts/pretty-text/sanitizer.js.es6
+++ b/app/assets/javascripts/pretty-text/sanitizer.js.es6
@ -73,6 +73,9 @@ export function sanitize(text, whiteLister) {

  if (allowedHrefSchemes && allowedHrefSchemes.length > 0) {
    extraHrefMatchers = [new RegExp('^(' + allowedHrefSchemes.join('|') + '):\/\/[\\w\\.\\-]+','i')];
+    if (allowedHrefSchemes.includes('tel')) {
+      extraHrefMatchers.push(new RegExp('^tel:\/\/\\+?[\\w\\.\\-]+','i'));
+    }
  }

  let result = xss(text, {
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@ -811,6 +811,17 @@ describe PrettyText do
    expect(cooked).to eq(n expected)
  end

+  it 'allows only tel URL scheme to start with a plus character' do
+    SiteSetting.allowed_href_schemes = "tel|steam"
+    cooked = cook("[Tel URL Scheme](tel://+452530579785)")
+    expected = '<p><a href="tel://+452530579785" rel="nofollow noopener">Tel URL Scheme</a></p>'
+    expect(cooked).to eq(n expected)
+
+    cooked2 = cook("[Steam URL Scheme](steam://+store/452530)")
+    expected2 = '<p><a>Steam URL Scheme</a></p>'
+    expect(cooked2).to eq(n expected2)
+  end
+
  it "produces hashtag links" do
    category = Fabricate(:category, name: 'testing')
    category2 = Fabricate(:category, name: 'known')