Merge branch 'security-2682-fix-xss-for-markdown-toc' into 'master'

[master] Fix xss for Markdown elements where [[_TOC_]] is enabled See merge request gitlab/gitlabhq!2400

Merge branch 'security-2682-fix-xss-for-markdown-toc' into 'master'
[master] Fix xss for Markdown elements where [[_TOC_]] is enabled See merge request gitlab/gitlabhq!2400
9d6499a5 · Alessio Caiazza · 70c02bf3 · 00c68e1b · 9d6499a5 · 9d6499a5
Commit 9d6499a5 authored Jun 25, 2018 by Alessio Caiazza
3 changed files
--- a/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml
+++ b/changelogs/unreleased/security-2682-fix-xss-for-markdown-toc.yml
+---
+title: Fix XSS vulnerability for table of content generation
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/table_of_contents_filter.rb
+++ b/lib/banzai/filter/table_of_contents_filter.rb
@@ -92,7 +92,7 @@ module Banzai
        def text
          return '' unless node

-          @text ||= node.text
+          @text ||= EscapeUtils.escape_html(node.text)
        end

        private

--- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
+++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
@@ -139,5 +139,14 @@ describe Banzai::Filter::TableOfContentsFilter do
        expect(items[5].ancestors).to include(items[4])
      end
    end
+
+    context 'header text contains escaped content' do
+      let(:content) { '&lt;img src="x" onerror="alert(42)"&gt;' }
+      let(:results) { result(header(1, content)) }
+
+      it 'outputs escaped content' do
+        expect(doc.inner_html).to include(content)
+      end
+    end
  end
 end