Fixed a potential XSS by link attributes

tenderlove · Jun 5, 2014 · 13579a7 · 13579a7
1 parent 0afc461
commit 13579a7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/lib/rails_autolink/helpers.rb b/lib/rails_autolink/helpers.rb
@@ -72,7 +72,7 @@ def auto_link(text, *args, &block) #link = :all, html = {}, &block)
 
           AUTO_LINK_RE = %r{
               (?: ((?:ed2k|ftp|http|https|irc|mailto|news|gopher|nntp|telnet|webcal|xmpp|callto|feed|svn|urn|aim|rsync|tag|ssh|sftp|rtsp|afs|file):)// | www\. )
-              [^\s<\u00A0]+
+              [^\s<\u00A0"]+
             }ix
 
           # regexps for determining context, used high-volume

diff --git a/test/test_rails_autolink.rb b/test/test_rails_autolink.rb
@@ -138,6 +138,14 @@ def test_auto_link_already_linked
     assert_equal linked_email, auto_link(linked_email)
   end
 
+  def test_auto_link_with_malicious_attr
+    url1 = "http://api.rubyonrails.com/Foo.html"
+    malicious = "\"onmousemove=\"prompt()"
+    combination = "#{url1}#{malicious}"
+
+    assert_equal %(<p><a href="#{url1}">#{url1}</a>#{malicious}</p>), auto_link("<p>#{combination}</p>")
+  end
+
   def test_auto_link_at_eol
     url1 = "http://api.rubyonrails.com/Foo.html"
     url2 = "http://www.ruby-doc.org/core/Bar.html"