meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-19 15:01:14 +00:00
Code Issues Releases Wiki Activity

XSS vulnerabilities in textile links (#32934).

Browse Source 
Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@19672 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2020-04-05 14:41:33 +00:00
parent d257990868
commit 895fc12d56
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/redmine/wiki_formatting/textile/redcloth3.rb
View File

@ -838,8 +838,12 @@ class RedCloth3 < String
url = url[0..-2] # discard closing parenth from url url = url[0..-2] # discard closing parenth from url
post = ")" + post # add closing parenth to post post = ")" + post # add closing parenth to post
end end
url = htmlesc(url.dup)
next all if url.downcase.start_with?('javascript:')
atts = pba(atts) atts = pba(atts)
atts = +" href=\"#{htmlesc url}#{slash}\"#{atts}" atts = +" href=\"#{url}#{slash}\"#{atts}"
atts << " title=\"#{htmlesc title}\"" if title atts << " title=\"#{htmlesc title}\"" if title
atts = shelve(atts) if atts atts = shelve(atts) if atts
external = (url =~ /^https?:\/\//) ? ' class="external"' : '' external = (url =~ /^https?:\/\//) ? ' class="external"' : ''
@ -958,6 +962,10 @@ class RedCloth3 < String
url, url_title = check_refs( url ) url, url_title = check_refs( url )
next m unless uri_with_safe_scheme?(url) next m unless uri_with_safe_scheme?(url)
if href
href = htmlesc(href.dup)
next m if href.downcase.start_with?('javascript:')
end
out = +'' out = +''
out << "<a#{shelve(" href=\"#{href}\"")}>" if href out << "<a#{shelve(" href=\"#{href}\"")}>" if href