XSS vulnerabilities in textile links (#32934).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@19672 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 15:01:14 +00:00 · 2020-04-05 14:41:33 +00:00 · 2020-04-05 14:41:33 +00:00 · 895fc12d56
commit 895fc12d56
parent d257990868
1 changed files with 9 additions and 1 deletions
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@ -838,8 +838,12 @@ class RedCloth3 < String
              url = url[0..-2] # discard closing parenth from url
              post = ")" + post # add closing parenth to post
            end
+
+            url = htmlesc(url.dup)
+            next all if url.downcase.start_with?('javascript:')
+
            atts = pba(atts)
-            atts = +" href=\"#{htmlesc url}#{slash}\"#{atts}"
+            atts = +" href=\"#{url}#{slash}\"#{atts}"
            atts << " title=\"#{htmlesc title}\"" if title
            atts = shelve(atts) if atts
            external = (url =~ /^https?:\/\//) ? ' class="external"' : ''
@ -958,6 +962,10 @@ class RedCloth3 < String
            url, url_title = check_refs( url )

            next m unless uri_with_safe_scheme?(url)
+            if href
+              href = htmlesc(href.dup)
+              next m if href.downcase.start_with?('javascript:')
+            end

            out = +''
            out << "<a#{shelve(" href=\"#{href}\"")}>" if href