XSS vulnerabilities in textile links (#32934).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@19672 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redmine/wiki_formatting/textile/redcloth3.rb

@@ -838,8 +838,12 @@ class RedCloth3 < String
               url = url[0..-2] # discard closing parenth from url
               post = ")" + post # add closing parenth to post
             end
+
+            url = htmlesc(url.dup)
+            next all if url.downcase.start_with?('javascript:')
+
             atts = pba(atts)
-            atts = +" href=\"#{htmlesc url}#{slash}\"#{atts}"
+            atts = +" href=\"#{url}#{slash}\"#{atts}"
             atts << " title=\"#{htmlesc title}\"" if title
             atts = shelve(atts) if atts
             external = (url =~ /^https?:\/\//) ? ' class="external"' : ''
@@ -958,6 +962,10 @@ class RedCloth3 < String
             url, url_title = check_refs( url )
 
             next m unless uri_with_safe_scheme?(url)
+            if href
+              href = htmlesc(href.dup)
+              next m if href.downcase.start_with?('javascript:')
+            end
 
             out = +''
             out << "<a#{shelve(" href=\"#{href}\"")}>" if href