Commit 4e3fe484 authored by Holger Just's avatar Holger Just

[#647] Fix XSS in textile image syntax.

parent 4cea676d
...@@ -936,7 +936,7 @@ class RedCloth3 < String ...@@ -936,7 +936,7 @@ class RedCloth3 < String
stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8] stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
htmlesc title htmlesc title
atts = pba( atts ) atts = pba( atts )
atts = " src=\"#{ url }\"#{ atts }" atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
atts << " title=\"#{ title }\"" if title atts << " title=\"#{ title }\"" if title
atts << " alt=\"#{ title }\"" atts << " alt=\"#{ title }\""
# size = @getimagesize($url); # size = @getimagesize($url);
......
...@@ -85,7 +85,15 @@ class Redmine::WikiFormatting::TextileFormatterTest < HelperTestCase ...@@ -85,7 +85,15 @@ class Redmine::WikiFormatting::TextileFormatterTest < HelperTestCase
'GPL(This is a double-quoted "title")' => '<acronym title="This is a double-quoted &quot;title&quot;">GPL</acronym>' 'GPL(This is a double-quoted "title")' => '<acronym title="This is a double-quoted &quot;title&quot;">GPL</acronym>'
) )
end end
def test_textile_should_escape_image_urls
# this is onclick="alert('XSS');" in encoded form
raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
expected = '<img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" />'
assert_html_output(raw => expected)
end
private private
def assert_html_output(to_test) def assert_html_output(to_test)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment