+++ /dev/null
-Patch taken from Debian (via upstream pull request that is still pending)
-
-http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/
-https://github.com/jgarber/redcloth/pull/20/commits
-
-From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001
-From: Antonio Terceiro <terceiro@debian.org>
-Date: Sat, 7 Feb 2015 23:27:39 -0200
-Subject: [PATCH] Filter out 'javascript:' links when using filter_html or
- sanitize_html
-
-This is a fix for CVE-2012-6684
----
- lib/redcloth/formatters/html.rb | 6 +++++-
- spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++
- 2 files changed, 19 insertions(+), 1 deletion(-)
- create mode 100644 spec/security/CVE-2012-6684_spec.rb
-
-diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
-index bfadfb7..b8793b2 100644
---- a/lib/redcloth/formatters/html.rb
-+++ b/lib/redcloth/formatters/html.rb
-@@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML
- end
-
- def link(opts)
-- "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
-+ if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
-+ opts[:name]
-+ else
-+ "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
-+ end
- end
-
- def image(opts)
-diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
-new file mode 100644
-index 0000000..05219fd
---- /dev/null
-+++ b/spec/security/CVE-2012-6684_spec.rb
-@@ -0,0 +1,14 @@
-+# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684
-+
-+require 'redcloth'
-+
-+describe 'CVE-2012-6684' do
-+
-+ it 'should not let javascript links pass through' do
-+ # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
-+ output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
-+ expect(output).to_not match(/href=.javascript:alert/)
-+ end
-+
-+
-+end
---
-2.1.4
-
projects / gentoo.git / commitdiff