Security: Quotes in href are not escaped

tenderlove / rails_autolink

The auto_link function from Rails

MIT License

588 stars 91 forks source link

Security: Quotes in href are not escaped #39

Open pschyska opened 11 years ago

pschyska commented 11 years ago

Consider the following:

[2] pry(main)> puts helper.auto_link %{http://"onmouseover='alert(1)'a="a.jpg}
<a href="http://"onmouseover='alert(1)'a="a.jpg">http://"onmouseover='alert(1)'a="a.jpg</a>

In this case, someone could inject a attributes, because the " in the input string closes the href attribute. Shouldn't " be url encoded here? I didn't find a way to make rails_autolink do that.

Thanks,

Paul

pschyska commented 11 years ago

URI::encode'ing like this https://github.com/pschyska/rails_autolink/commit/60fac26b30127c427f5eb2272502a837c31bf70b helps. I'm not 100% that that's the correct way to approach this. Also, I didn't get your test suite to run. Any special requirements for that?

travisp commented 10 years ago

I'm having trouble replicating this:

[22] pry(main)> puts helper.auto_link %{http://"onmouseover='alert(1)'a="a.jpg} http://"onmouseover='alert(1)'a="a.jpg

is there something I'm missing? Do you have the latest version?

groe commented 8 years ago

Can not replicate this with http://"onmouseover='alert(1)'a="a.jpg