Limits the schemes that inline images can use (#22926).

git-svn-id: http://svn.redmine.org/redmine/trunk@15433 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-10-17 17:01:01 +00:00 · 2016-06-01 17:32:35 +00:00 · 2016-06-01 17:32:35 +00:00 · a4bc898012
commit a4bc898012
parent 1be535443a
2 changed files with 9 additions and 0 deletions
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@ -165,6 +165,7 @@
 #  class RedCloth::Textile.new( str )

 class RedCloth3 < String
+    include Redmine::Helpers::URL

    VERSION = '3.0.4'
    DEFAULT_RULES = [:textile, :markdown]
@ -960,6 +961,8 @@ class RedCloth3 < String
            href, alt_title = check_refs( href ) if href
            url, url_title = check_refs( url )

+            return m unless uri_with_safe_scheme?(url)
+
            out = ''
            out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
            out << "<img#{ shelve( atts ) } />"
--- a/lib/redmine/wiki_formatting/markdown/formatter.rb
+++ b/lib/redmine/wiki_formatting/markdown/formatter.rb
@ -43,6 +43,12 @@ module Redmine
            "<pre>" + CGI.escapeHTML(code) + "</pre>"
          end
        end
+
+        def image(link, title, alt_text)
+          return unless uri_with_safe_scheme?(link)
+
+          tag('img', :src => link, :alt => alt_text || "", :title => title)
+        end
      end

      class Formatter