Browse files

closed XSS after the @

  • Loading branch information...
1 parent b2b27bc commit cffce8e60b7557e9945fc0e8b4383e5a66b1558f @bcherry bcherry committed Aug 23, 2010
Showing with 9 additions and 1 deletion.
  1. +1 −1 lib/regex.rb
  2. +8 −0 spec/autolinking_spec.rb
View
2 lib/regex.rb
@@ -60,7 +60,7 @@ class Regex
# Allow @ in a url, but only in the middle. Catch things like http://example.com/@user
REGEXEN[:valid_url_path_chars] = /(?:
#{REGEXEN[:wikipedia_disambiguation]}|
- @[^\/]+\/|
+ @#{REGEXEN[:valid_general_url_path_chars]}+\/|
[\.\,]?#{REGEXEN[:valid_general_url_path_chars]}
)/ix
# Valid end-of-path chracters (so /foo. does not gobble the period).
View
8 spec/autolinking_spec.rb
@@ -474,6 +474,14 @@ def original_text; "I like www.foobar.com dudes"; end
end
end
+ context "with a @ in a URL" do
+ def original_text; 'http://x.xx/@"style="color:pink"onmouseover=alert(1)//'; end
+
+ it "should not allow XSS follwing @" do
+ @autolinked_text.should have_autolinked_url('http://x.xx/')
+ end
+ end
+
end
describe "Autolink all" do

10 comments on commit cffce8e

@romac

This would have prevented today's XSS exploits on Twitter.com.
Why haven't this commit been pulled ?

@timparker

Ha indeed!

@bitemyapp

Easy to criticize when you're not in the trenches guys...

@1stvamp

Even easier to criticise when you have been in similar trenches and it still looks bad. ;-)

@bitemyapp

when you have been in similar trenches and it still looks bad. ;-)

I've been in that exact situation of being able to criticize because I do know better, but people are a little eager to dogpile the 'big guy' like Twitter.

@romac

No one has to be criticized, this kind of things can happen. 100% bug-free is not possible. I'm just wondering why this hasn't been pulled by Twitter ?

@bitemyapp

Deployment processes and code-vetting are non-instantaneous.

@hoverbird
Collaborator

The fix is in production now.

@mathiasbynens

@romac: This was in fact patched last month. Read the Twitter blog:

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Please sign in to comment.