XSS vulnerabilities in textile links (#32934).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 5 Apr 2020 14:41:33 +0000 (14:41 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sun, 5 Apr 2020 14:41:33 +0000 (14:41 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 5 Apr 2020 14:41:33 +0000 (14:41 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 5 Apr 2020 14:41:33 +0000 (14:41 +0000)
diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb

index 54725d2bfc660d0b4530a4f7f27f9ac6462d3398..5b534df915845de6e35c219b5c0442dfb62d3aca 100644 (file)
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -838,8 +838,12 @@ class RedCloth3 < String
                url = url[0..-2] # discard closing parenth from url
                post = ")" + post # add closing parenth to post
              end
+
+            url = htmlesc(url.dup)
+            next all if url.downcase.start_with?('javascript:')
+
              atts = pba(atts)
-            atts = +" href=\"#{htmlesc url}#{slash}\"#{atts}"
+            atts = +" href=\"#{url}#{slash}\"#{atts}"
              atts << " title=\"#{htmlesc title}\"" if title
              atts = shelve(atts) if atts
              external = (url =~ /^https?:\/\//) ? ' class="external"' : ''
@@ -958,6 +962,10 @@ class RedCloth3 < String
              url, url_title = check_refs( url )
  
              next m unless uri_with_safe_scheme?(url)
+            if href
+              href = htmlesc(href.dup)
+              next m if href.downcase.start_with?('javascript:')
+            end
  
              out = +''
              out << "<a#{shelve(" href=\"#{href}\"")}>" if href
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 5 Apr 2020 14:41:33 +0000 (14:41 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sun, 5 Apr 2020 14:41:33 +0000 (14:41 +0000)