SECURITY: sanitizer allowing invalid attributes

This commit is contained in:
Sam 2014-07-17 15:40:19 +10:00
parent 5ad3396a7a
commit c12a131fb4
2 changed files with 15 additions and 0 deletions

View File

@ -14,6 +14,16 @@ var _validClasses = {},
function validateAttribute(tagName, attribName, value) { function validateAttribute(tagName, attribName, value) {
var tag = _validTags[tagName]; var tag = _validTags[tagName];
// Handle possible attacks
// if you include html in your markdown, it better be valid
//
// We are SUPER strict cause nokogiri will sometimes "correct"
// this stuff "incorrectly"
var escaped = Handlebars.Utils.escapeExpression(value);
if(escaped !== value){
return;
}
// Handle classes // Handle classes
if (attribName === "class") { if (attribName === "class") {
if (_validClasses[value]) { return value; } if (_validClasses[value]) { return value; }

View File

@ -76,6 +76,7 @@ describe PrettyText do
describe "Excerpt" do describe "Excerpt" do
context "images" do context "images" do
it "should dump images" do it "should dump images" do
PrettyText.excerpt("<img src='http://cnn.com/a.gif'>",100).should == "[image]" PrettyText.excerpt("<img src='http://cnn.com/a.gif'>",100).should == "[image]"
end end
@ -286,6 +287,10 @@ describe PrettyText do
it "allows bold chinese" do it "allows bold chinese" do
PrettyText.cook("**你hello**").should match_html "<p><strong>你hello</strong></p>" PrettyText.cook("**你hello**").should match_html "<p><strong>你hello</strong></p>"
end end
it "sanitizes attempts to inject invalid attributes" do
PrettyText.cook("<a href=\"http://thedailywtf.com/\" data-bbcode=\"' class='fa fa-spin\">WTF</a>").should == "<p><a href=\"http://thedailywtf.com/\" rel=\"nofollow\">WTF</a></p>"
end
end end
end end