Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: fix XSS in link's href

This commit is contained in:
Régis Hanol 2014-07-15 16:11:37 +02:00
parent 09924da60b
commit a9342dbf92
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/discourse/lib/markdown.js
View File

@ -164,6 +164,9 @@ Discourse.Markdown = {
urlAllowed: function (uri, effect, ltype, hints) {
var url = typeof(uri) === "string" ? uri : uri.toString();
// escape single quotes
url = url.replace(/'/g, "'");
// whitelist some iframe only
if (hints && hints.XML_TAG === "iframe" && hints.XML_ATTR === "src") {
for (var i = 0, length = _validIframes.length; i < length; i++) {

8
test/javascripts/lib/markdown_test.js
View File

@ -401,14 +401,20 @@ test("URLs in BBCode tags", function() {
});
test("urlAllowed", function() {
var urlAllowed = Discourse.Markdown.urlAllowed;
var allowed = function(url, msg) {
equal(Discourse.Markdown.urlAllowed(url), url, msg);
equal(urlAllowed(url), url, msg);
};
allowed("/foo/bar.html", "allows relative urls");
allowed("http://eviltrout.com/evil/trout", "allows full urls");
allowed("https://eviltrout.com/evil/trout", "allows https urls");
allowed("//eviltrout.com/evil/trout", "allows protocol relative urls");
equal(urlAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"),
"http://google.com/test&#39;onmouseover=alert(&#39;XSS!&#39;);//.swf",
"escape single quotes");
});
test("images", function() {