From c12a131fb4e980aa302eb0440737f12a008ba080 Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 17 Jul 2014 15:40:19 +1000 Subject: [PATCH] SECURITY: sanitizer allowing invalid attributes --- app/assets/javascripts/discourse/lib/markdown.js | 10 ++++++++++ spec/components/pretty_text_spec.rb | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js index a28496cdbe8..7229b49c20f 100644 --- a/app/assets/javascripts/discourse/lib/markdown.js +++ b/app/assets/javascripts/discourse/lib/markdown.js @@ -14,6 +14,16 @@ var _validClasses = {}, function validateAttribute(tagName, attribName, value) { var tag = _validTags[tagName]; + // Handle possible attacks + // if you include html in your markdown, it better be valid + // + // We are SUPER strict cause nokogiri will sometimes "correct" + // this stuff "incorrectly" + var escaped = Handlebars.Utils.escapeExpression(value); + if(escaped !== value){ + return; + } + // Handle classes if (attribName === "class") { if (_validClasses[value]) { return value; } diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb index 682649077a0..f55219b75c7 100644 --- a/spec/components/pretty_text_spec.rb +++ b/spec/components/pretty_text_spec.rb @@ -76,6 +76,7 @@ describe PrettyText do describe "Excerpt" do context "images" do + it "should dump images" do PrettyText.excerpt("",100).should == "[image]" end @@ -286,6 +287,10 @@ describe PrettyText do it "allows bold chinese" do PrettyText.cook("**你hello**").should match_html "

你hello

" end + + it "sanitizes attempts to inject invalid attributes" do + PrettyText.cook("