Commit 4e3fe484 authored by Holger Just's avatar Holger Just

[#647] Fix XSS in textile image syntax.

parent 4cea676d
......@@ -936,7 +936,7 @@ class RedCloth3 < String
stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
htmlesc title
atts = pba( atts )
atts = " src=\"#{ url }\"#{ atts }"
atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
atts << " title=\"#{ title }\"" if title
atts << " alt=\"#{ title }\""
# size = @getimagesize($url);
......
......@@ -86,6 +86,14 @@ class Redmine::WikiFormatting::TextileFormatterTest < HelperTestCase
)
end
def test_textile_should_escape_image_urls
# this is onclick="alert('XSS');" in encoded form
raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
expected = '<img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" />'
assert_html_output(raw => expected)
end
private
def assert_html_output(to_test)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment