Sanitize `vbscript:` linksrs-data-links

Closes https://dev.gitlab.org/gitlab/gitlabhq/issues/2660
author: Robert Speicher <rspeicher@gmail.com> 2016-02-23 20:40:31 -0500
committer: Robert Speicher <rspeicher@gmail.com> 2016-02-23 20:42:03 -0500
commit: 989946f33717685065812d72e9ed4490fe969104 (patch)
tree: 871536ec2cbb9d929d5966afd93f514b81f0da65 /spec
parent: 4225fd229f8503c3007e07cbad2ccac319b2547b (diff)
download: gitlab-ce-989946f33717685065812d72e9ed4490fe969104.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 247f492e6a9..4a7b00c7660 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -170,6 +170,13 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
       expect(output.to_html).to eq '<a>XSS</a>'
     end
 
+    it 'disallows vbscript links' do
+      input = '<a href="vbscript:alert(document.domain)">XSS</a>'
+      output = filter(input)
+
+      expect(output.to_html).to eq '<a>XSS</a>'
+    end
+
     it 'allows non-standard anchor schemes' do
       exp = %q{<a href="irc://irc.freenode.net/git">IRC</a>}
       act = filter(exp)
author	Robert Speicher <rspeicher@gmail.com>	2016-02-23 20:40:31 -0500
committer	Robert Speicher <rspeicher@gmail.com>	2016-02-23 20:42:03 -0500
commit	989946f33717685065812d72e9ed4490fe969104 (patch)
tree	871536ec2cbb9d929d5966afd93f514b81f0da65 /spec
parent	4225fd229f8503c3007e07cbad2ccac319b2547b (diff)
download	gitlab-ce-989946f33717685065812d72e9ed4490fe969104.tar.gz