javascript checks case insensitive, closes #25

jgarber · May 24, 2016 · 2ac9f74 · 2ac9f74
1 parent cddd03b
commit 2ac9f74
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb
@@ -111,15 +111,15 @@ def bq_close(opts)
   end
 
   def link(opts)
-    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/
+    if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/i
       opts[:name]
     else
       "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
     end
   end
 
   def image(opts)
-    if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/ || opts[:href] =~ /^\s*javascript:/ )
+    if (filter_html || sanitize_html) && ( opts[:src] =~ /^\s*javascript:/i || opts[:href] =~ /^\s*javascript:/i )
       opts[:title]
     else
       opts.delete(:align)

diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb
@@ -8,6 +8,9 @@
     # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en
     output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
     expect(output).to_not match(/href=.javascript:alert/)
+
+    output = RedCloth.new('["clickme":jAvascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/href=.jAvascript:alert/)
   end
 
   it 'should not let javascript links pass through on images' do
@@ -18,5 +21,13 @@
     output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
     expect(output).to_not match(/src=.javascript:alert/)
     expect(output).to_not match(/href=.javascript:prompt/)
+
+    output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"').to_html
+    expect(output).to match(/src=.jAvascript:alert/)
+    expect(output).to match(/href=.jAvascript:prompt/)
+
+    output = RedCloth.new('"!<jAvascript:alert(1)(2)!:jAvascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html
+    expect(output).to_not match(/src=.jAvascript:alert/)
+    expect(output).to_not match(/href=.jAvascript:prompt/)
   end
 end
diff --git a/tasks/release.rake b/tasks/release.rake
@@ -5,10 +5,10 @@ namespace :release do
   # change version in version.rb
   # update changelog
   # run rake test
-  
+
   task :gem do
     puts "Did you git tag and git push the tag for this release yet?"
-    sh("rm *.gem")
+    #sh("rm *.gem")
     sh("gem build redcloth.gemspec")
     sh("gem push RedCloth-*.gem")
   end