mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 17:46:05 -05:00
SECURITY: sanitize markdown urls (prevent XSS)
This commit is contained in:
parent
d5b1b64bb8
commit
e663d78104
2 changed files with 15 additions and 0 deletions
13
app/assets/javascripts/discourse/dialects/anchor_dialect.js
Normal file
13
app/assets/javascripts/discourse/dialects/anchor_dialect.js
Normal file
|
@ -0,0 +1,13 @@
|
|||
// prevent XSS
|
||||
Discourse.Dialect.on('parseNode', function (event) {
|
||||
var node = event.node;
|
||||
|
||||
if (node[0] === 'a') {
|
||||
var attributes = node[1];
|
||||
if (attributes["href"]) {
|
||||
if (!Discourse.Markdown.urlAllowed(attributes["href"])) {
|
||||
delete attributes["href"];
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
|
@ -352,6 +352,8 @@ test("sanitize", function() {
|
|||
equal(sanitize("<textarea>hullo</textarea>"), "hullo");
|
||||
equal(sanitize("<button>press me!</button>"), "press me!");
|
||||
equal(sanitize("<canvas>draw me!</canvas>"), "draw me!");
|
||||
|
||||
cooked("[the answer](javascript:alert(42))", "<p><a>the answer</a></p>", "it prevents XSS");
|
||||
});
|
||||
|
||||
test("URLs in BBCode tags", function() {
|
||||
|
|
Loading…
Reference in a new issue