Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
849cc380
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
849cc380
编写于
5月 07, 2016
作者:
S
Stan Hu
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Use a case-insensitive comparison in sanitizing URI schemes
Closes #1625
上级
93b4a3a1
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
8 addition
and
1 deletion
+8
-1
CHANGELOG
CHANGELOG
+1
-0
lib/banzai/filter/sanitization_filter.rb
lib/banzai/filter/sanitization_filter.rb
+1
-1
spec/lib/banzai/filter/sanitization_filter_spec.rb
spec/lib/banzai/filter/sanitization_filter_spec.rb
+6
-0
未找到文件。
CHANGELOG
浏览文件 @
849cc380
...
...
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.8.0 (unreleased)
- Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
- Use a case-insensitive comparison in sanitizing URI schemes
- Project#open_branches has been cleaned up and no longer loads entire records into memory.
- Escape HTML in commit titles in system note messages
- Improve multiple branch push performance by memoizing permission checking
...
...
lib/banzai/filter/sanitization_filter.rb
浏览文件 @
849cc380
...
...
@@ -63,7 +63,7 @@ module Banzai
begin
uri
=
Addressable
::
URI
.
parse
(
node
[
'href'
])
uri
.
scheme
.
strip!
if
uri
.
scheme
uri
.
scheme
=
uri
.
scheme
.
strip
.
downcase
if
uri
.
scheme
node
.
remove_attribute
(
'href'
)
if
UNSAFE_PROTOCOLS
.
include?
(
uri
.
scheme
)
rescue
Addressable
::
URI
::
InvalidURIError
...
...
spec/lib/banzai/filter/sanitization_filter_spec.rb
浏览文件 @
849cc380
...
...
@@ -22,6 +22,12 @@ describe Banzai::Filter::SanitizationFilter, lib: true do
expect
(
filter
(
act
).
to_html
).
to
eq
exp
end
it
'sanitizes mixed-cased javascript in attributes'
do
act
=
%q(<a href="javaScript:alert('foo')">Text</a>)
exp
=
'<a>Text</a>'
expect
(
filter
(
act
).
to_html
).
to
eq
exp
end
it
'allows whitelisted HTML tags from the user'
do
exp
=
act
=
"<dl>
\n
<dt>Term</dt>
\n
<dd>Definition</dd>
\n
</dl>"
expect
(
filter
(
act
).
to_html
).
to
eq
exp
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录