Fixed #2437 - square brackets are deleted in links

This commit is contained in:
Billy Zhou 2019-01-26 20:19:48 +08:00
parent db69e55158
commit 7df5c18182
3 changed files with 9 additions and 3 deletions

View file

@ -401,7 +401,6 @@ cleanup html string:
.delete("\t\n\r\u0000")
.gsub(%r{/\*.*?\*/}, '')
.gsub(/<!--.*?-->/, '')
.gsub(/\[.+?\]/, '')
sanitize_attachment_disposition(cleaned_string)
end

View file

@ -194,6 +194,13 @@ RSpec.describe HtmlSanitizer do
.to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
end
end
context 'with href links that contain square brackets' do
it 'correctly URL encodes them' do
expect(HtmlSanitizer.strict(+'<a href="https://example.com/?foo=bar&baz[x]=y">example</a>', true))
.to eq('<a href="https://example.com/?foo=bar&amp;baz%5Bx%5D=y" rel="nofollow noreferrer noopener" target="_blank" title="https://example.com/?foo=bar&amp;baz[x]=y">example</a>')
end
end
end
describe '.cleanup' do

View file

@ -69,8 +69,8 @@ tt p://6 6.000146.0x7.147/">XSS</A>', true), '<a href="htt%20%20p://6%206.00014
assert_equal(HtmlSanitizer.strict('<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>'), '')
assert_equal(HtmlSanitizer.strict('<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>'), '')
assert_equal(HtmlSanitizer.strict('<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">'), '<img>')
assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>'), 'XXX')
assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>', true), 'XXX')
assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>'), '<a href="%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)">XXX</a>')
assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>', true), '<a href="http://%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)" rel="nofollow noreferrer noopener" target="_blank" title="http://%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)">XXX</a>')
assert_equal(HtmlSanitizer.strict('<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>'), 'alert(1)')
assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>'), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')
assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>', true), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')