From e663d78104185ceff84d02a8012164fbe9dc5074 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Thu, 27 Mar 2014 15:34:35 +0100
Subject: [PATCH] SECURITY: sanitize markdown urls (prevent XSS)

---
 .../discourse/dialects/anchor_dialect.js            | 13 +++++++++++++
 test/javascripts/lib/markdown_test.js               |  2 ++
 2 files changed, 15 insertions(+)
 create mode 100644 app/assets/javascripts/discourse/dialects/anchor_dialect.js

diff --git a/app/assets/javascripts/discourse/dialects/anchor_dialect.js b/app/assets/javascripts/discourse/dialects/anchor_dialect.js
new file mode 100644
index 00000000000..a637624177c
--- /dev/null
+++ b/app/assets/javascripts/discourse/dialects/anchor_dialect.js
@@ -0,0 +1,13 @@
+// prevent XSS
+Discourse.Dialect.on('parseNode', function (event) {
+  var node = event.node;
+
+  if (node[0] === 'a') {
+    var attributes = node[1];
+    if (attributes["href"]) {
+      if (!Discourse.Markdown.urlAllowed(attributes["href"])) {
+        delete attributes["href"];
+      }
+    }
+  }
+});
diff --git a/test/javascripts/lib/markdown_test.js b/test/javascripts/lib/markdown_test.js
index 74f1237b7d9..ec18c80a2d1 100644
--- a/test/javascripts/lib/markdown_test.js
+++ b/test/javascripts/lib/markdown_test.js
@@ -352,6 +352,8 @@ test("sanitize", function() {
   equal(sanitize("<textarea>hullo</textarea>"), "hullo");
   equal(sanitize("<button>press me!</button>"), "press me!");
   equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
+
+  cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
 });
 
 test("URLs in BBCode tags", function() {