[#647] Fix XSS in textile image syntax.

Image URLs are not properly escaped in the bundled RedCloth3 library. It thus allowed an XSS vector. The patch was adapted from r7570 from Redmine by Etiene Massip. See also http://www.redmine.org/issues/9245.

[#647] Fix XSS in textile image syntax.
Image URLs are not properly escaped in the bundled RedCloth3 library. It thus allowed an XSS vector. The patch was adapted from r7570 from Redmine by Etiene Massip. See also http://www.redmine.org/issues/9245.
cb2086f6 · Holger Just · 21a45b4e · cb2086f6 · cb2086f6
Commit cb2086f6 authored 13 years ago by Holger Just
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@@ -939,7 +939,7 @@ class RedCloth3 < String
            stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
            htmlesc title
            atts = pba( atts )
-            atts = " src=\"#{ url }\"#{ atts }"
+            atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
            atts << " title=\"#{ title }\"" if title
            atts << " alt=\"#{ title }\"" 
            # size = @getimagesize($url);

--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -194,6 +194,14 @@ EXPECTED
    assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
  end

+  def test_textile_should_escape_image_urls
+    # this is onclick="alert('XSS');" in encoded form
+    raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
+    expected = '<p><img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" /></p>'
+
+    assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
+  end
+
  private

  def assert_html_output(to_test, expect_paragraph = true)