Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: allowed href scheme link can start with a + (#5537) 

* allowed href scheme link can start with a +

* allow tel:// links only to start with +

* add missing semicolon

* add test
This commit is contained in:
Maja Komel 2018-01-30 01:02:23 +01:00 committed by Sam
parent f3502853fa
commit 330912e1e5
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/pretty-text/sanitizer.js.es6
View File

@ -73,6 +73,9 @@ export function sanitize(text, whiteLister) {
if (allowedHrefSchemes && allowedHrefSchemes.length > 0) { if (allowedHrefSchemes && allowedHrefSchemes.length > 0) {
extraHrefMatchers = [new RegExp('^(' + allowedHrefSchemes.join('|') + '):\/\/[\\w\\.\\-]+','i')]; extraHrefMatchers = [new RegExp('^(' + allowedHrefSchemes.join('|') + '):\/\/[\\w\\.\\-]+','i')];
if (allowedHrefSchemes.includes('tel')) {
extraHrefMatchers.push(new RegExp('^tel:\/\/\\+?[\\w\\.\\-]+','i'));
}
} }
let result = xss(text, { let result = xss(text, {

11
spec/components/pretty_text_spec.rb
View File

@ -811,6 +811,17 @@ describe PrettyText do
expect(cooked).to eq(n expected) expect(cooked).to eq(n expected)
end end
it 'allows only tel URL scheme to start with a plus character' do
SiteSetting.allowed_href_schemes = "tel|steam"
cooked = cook("[Tel URL Scheme](tel://+452530579785)")
expected = '<p><a href="tel://+452530579785" rel="nofollow noopener">Tel URL Scheme</a></p>'
expect(cooked).to eq(n expected)
cooked2 = cook("[Steam URL Scheme](steam://+store/452530)")
expected2 = '<p><a>Steam URL Scheme</a></p>'
expect(cooked2).to eq(n expected2)
end
it "produces hashtag links" do it "produces hashtag links" do
category = Fabricate(:category, name: 'testing') category = Fabricate(:category, name: 'testing')
category2 = Fabricate(:category, name: 'known') category2 = Fabricate(:category, name: 'known')