Skip to content

O
OHR Support
Commit cb2086f6 authored by Holger Just's avatar Holger Just
Browse files
Options

[#647] Fix XSS in textile image syntax. 

Image URLs are not properly escaped in the bundled RedCloth3 library.
It thus allowed an XSS vector.

The patch was adapted from r7570 from Redmine by Etiene Massip. See also
http://www.redmine.org/issues/9245.
parent 21a45b4e
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 1 deletion
lib/redcloth3.rb
View file @ cb2086f6
......@@ -939,7 +939,7 @@ class RedCloth3 < String
stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
htmlesc title
atts = pba( atts )
atts = " src=\"#{ url }\"#{ atts }"
atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
atts << " title=\"#{ title }\"" if title
atts << " alt=\"#{ title }\""
# size = @getimagesize($url);
......
test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
View file @ cb2086f6
......@@ -194,6 +194,14 @@ EXPECTED
assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
end
def test_textile_should_escape_image_urls
# this is onclick="alert('XSS');" in encoded form
raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
expected = '<p><img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" /></p>'
assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
end
private
def assert_html_output(to_test, expect_paragraph = true)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment