SECURITY: sanitize markdown urls (prevent XSS)

This commit is contained in:
Régis Hanol 2014-03-27 15:34:35 +01:00
parent d5b1b64bb8
commit e663d78104
2 changed files with 15 additions and 0 deletions

View file

@ -0,0 +1,13 @@
// prevent XSS
Discourse.Dialect.on('parseNode', function (event) {
var node = event.node;
if (node[0] === 'a') {
var attributes = node[1];
if (attributes["href"]) {
if (!Discourse.Markdown.urlAllowed(attributes["href"])) {
delete attributes["href"];
}
}
}
});

View file

@ -352,6 +352,8 @@ test("sanitize", function() {
equal(sanitize("<textarea>hullo</textarea>"), "hullo");
equal(sanitize("<button>press me!</button>"), "press me!");
equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
});
test("URLs in BBCode tags", function() {