Sanitize `data:` links

Closes #13625
author: Robert Speicher <rspeicher@gmail.com> 2016-02-21 17:33:35 -0500
committer: Robert Speicher <rspeicher@gmail.com> 2016-02-21 17:33:35 -0500
commit: 4225fd229f8503c3007e07cbad2ccac319b2547b (patch)
tree: 0e0243eeb41a784551172ca020fe7702e9cf9dfb /spec
parent: 1367caa642e7ec9a46f202b6149a01e7093c573d (diff)
download: gitlab-ce-4225fd229f8503c3007e07cbad2ccac319b2547b.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index e14a6dbf922..247f492e6a9 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -156,13 +156,20 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
     }
 
     protocols.each do |name, data|
-      it "handles #{name}" do
+      it "disallows #{name}" do
         doc = filter(data[:input])
 
         expect(doc.to_html).to eq data[:output]
       end
     end
 
+    it 'disallows data links' do
+      input = '<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
     it 'allows non-standard anchor schemes' do
       exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
       act = filter(exp)
author	Robert Speicher <rspeicher@gmail.com>	2016-02-21 17:33:35 -0500
committer	Robert Speicher <rspeicher@gmail.com>	2016-02-21 17:33:35 -0500
commit	4225fd229f8503c3007e07cbad2ccac319b2547b (patch)
tree	0e0243eeb41a784551172ca020fe7702e9cf9dfb /spec
parent	1367caa642e7ec9a46f202b6149a01e7093c573d (diff)
download	gitlab-ce-4225fd229f8503c3007e07cbad2ccac319b2547b.tar.gz