Fix CVE-2017-16792 - Stored XSS

Reject Javascript Link
geminabox · Nov 13, 2017 · f8429a9 · f8429a9
1 parent c173cb5
commit f8429a9
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/lib/geminabox/server.rb b/lib/geminabox/server.rb
@@ -307,6 +307,15 @@ def combined_gem_list
     end
 
     helpers do
+      def href(text)
+        escaped_text = Rack::Utils.escape_html(text)
+        if escaped_text.start_with?('http://') || escaped_text.start_with?('https://')
+          escaped_text
+        else
+          '#'
+        end
+      end
+
       def h(text)
         Rack::Utils.escape_html(text)
       end

diff --git a/views/gem.erb b/views/gem.erb
@@ -27,7 +27,7 @@
           <%= spec.description %>
           <br/>
           <span class="author">– <%= spec.authors.map do |author|
-            "<a href='#{h(spec.homepage)}'>#{author}</a>"
+            "<a href='#{href(spec.homepage)}'>#{author}</a>"
           end.join(', ') %></span>
         <% end %>
         </p>

diff --git a/views/index.erb b/views/index.erb
@@ -46,7 +46,7 @@
               <%= spec.description %>
               <br/>
               <span class="author">– <%= spec.authors.map do |author|
-                "<a href='#{h(spec.homepage)}'>#{author}</a>"
+                "<a href='#{href(spec.homepage)}'>#{author}</a>"
               end.join(', ') %></span>
             <% end %>
           </p>