From a9342dbf9240f5627fb265c3fbac789addd1d228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Tue, 15 Jul 2014 16:11:37 +0200 Subject: [PATCH] SECURITY: fix XSS in link's href --- app/assets/javascripts/discourse/lib/markdown.js | 3 +++ test/javascripts/lib/markdown_test.js | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js index cee428cad..a28496cdb 100644 --- a/app/assets/javascripts/discourse/lib/markdown.js +++ b/app/assets/javascripts/discourse/lib/markdown.js @@ -164,6 +164,9 @@ Discourse.Markdown = { urlAllowed: function (uri, effect, ltype, hints) { var url = typeof(uri) === "string" ? uri : uri.toString(); + // escape single quotes + url = url.replace(/'/g, "'"); + // whitelist some iframe only if (hints && hints.XML_TAG === "iframe" && hints.XML_ATTR === "src") { for (var i = 0, length = _validIframes.length; i < length; i++) { diff --git a/test/javascripts/lib/markdown_test.js b/test/javascripts/lib/markdown_test.js index c557b7f23..b40e2a779 100644 --- a/test/javascripts/lib/markdown_test.js +++ b/test/javascripts/lib/markdown_test.js @@ -401,14 +401,20 @@ test("URLs in BBCode tags", function() { }); test("urlAllowed", function() { + var urlAllowed = Discourse.Markdown.urlAllowed; + var allowed = function(url, msg) { - equal(Discourse.Markdown.urlAllowed(url), url, msg); + equal(urlAllowed(url), url, msg); }; allowed("/foo/bar.html", "allows relative urls"); allowed("http://eviltrout.com/evil/trout", "allows full urls"); allowed("https://eviltrout.com/evil/trout", "allows https urls"); allowed("//eviltrout.com/evil/trout", "allows protocol relative urls"); + + equal(urlAllowed("http://google.com/test'onmouseover=alert('XSS!');//.swf"), + "http://google.com/test'onmouseover=alert('XSS!');//.swf", + "escape single quotes"); }); test("images", function() {