Use a case-insensitive comparison in sanitizing URI schemes

Closes #1625

Use a case-insensitive comparison in sanitizing URI schemes
849cc380 · Stan Hu · 93b4a3a1 · 849cc380 · 849cc380 · 849cc380
Commit 849cc380 authored 8 years ago by Stan Hu
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.

 v 8.8.0 (unreleased)
  - Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
+  - Use a case-insensitive comparison in sanitizing URI schemes
  - Project#open_branches has been cleaned up and no longer loads entire records into memory.
  - Escape HTML in commit titles in system note messages
  - Improve multiple branch push performance by memoizing permission checking

--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -63,7 +63,7 @@ def remove_unsafe_links

          begin
            uri = Addressable::URI.parse(node['href'])
-            uri.scheme.strip! if uri.scheme
+            uri.scheme = uri.scheme.strip.downcase if uri.scheme

            node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
          rescue Addressable::URI::InvalidURIError

--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -22,6 +22,12 @@
      expect(filter(act).to_html).to eq exp
    end

+    it 'sanitizes mixed-cased javascript in attributes' do
+      act = %q(<a href="javaScript:alert('foo')">Text</a>)
+      exp = '<a>Text</a>'
+      expect(filter(act).to_html).to eq exp
+    end
+
    it 'allows whitelisted HTML tags from the user' do
      exp = act = "<dl>\n<dt>Term</dt>\n<dd>Definition</dd>\n</dl>"
      expect(filter(act).to_html).to eq exp