SECURITY: sanitizer allowing invalid attributes

2014-07-17 15:40:19 +10:00 · 2014-07-17 15:40:19 +10:00 · c12a131fb4
parent 5ad3396a7a
commit c12a131fb4
2 changed files with 15 additions and 0 deletions
--- a/app/assets/javascripts/discourse/lib/markdown.js
+++ b/app/assets/javascripts/discourse/lib/markdown.js
@ -14,6 +14,16 @@ var _validClasses = {},
 function validateAttribute(tagName, attribName, value) {
  var tag = _validTags[tagName];

+  // Handle possible attacks
+  // if you include html in your markdown, it better be valid
+  //
+  // We are SUPER strict cause nokogiri will sometimes "correct"
+  //  this stuff "incorrectly"
+  var escaped = Handlebars.Utils.escapeExpression(value);
+  if(escaped !== value){
+    return;
+  }
+
  // Handle classes
  if (attribName === "class") {
    if (_validClasses[value]) { return value; }
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@ -76,6 +76,7 @@ describe PrettyText do
  describe "Excerpt" do

    context "images" do
+
      it "should dump images" do
        PrettyText.excerpt("<img src='http://cnn.com/a.gif'>",100).should == "[image]"
      end
@ -286,6 +287,10 @@ describe PrettyText do
    it "allows bold chinese" do
      PrettyText.cook("**你hello**").should match_html "<p><strong>你hello</strong></p>"
    end
+
+    it "sanitizes attempts to inject invalid attributes" do
+      PrettyText.cook("<a href=\"http://thedailywtf.com/\" data-bbcode=\"' class='fa fa-spin\">WTF</a>").should == "<p><a href=\"http://thedailywtf.com/\" rel=\"nofollow\">WTF</a></p>"
+    end
  end

 end