Fixed XSS issue with link attributes

tenderlove / rails_autolink

The auto_link function from Rails

MIT License

588 stars 91 forks source link

Fixed XSS issue with link attributes #47

Closed fcsonline closed 10 years ago

fcsonline commented 10 years ago

The current version of auto_link is vulnerable to a XSS attack:

https://www.foobar.com/"onmouseover="prompt()

you will get

<a href="https://www.foobar.com/" onmouseover="prompt()">https://www.foobar.com/"onmouseover="prompt()</a>

Solution:

The regexp should find characters until a " is found. Then the result is:

<a href="https://www.foobar.com/">https://www.foobar.com/"onmouseover="prompt()</a>onmouseover="prompt()"

tenderlove commented 10 years ago

@fcsonline congratulations! You are now a rails_autolink-core team member. Please merge this PR yourself. Also, send me your email address and I'll give you release privilege on rubygems.org.

masylum commented 10 years ago

:tada:

tardate commented 10 years ago

@fcsonline I merged this into a 1.1.6 release with a few other PRs. Please do check to make sure after the merge all is still well!

fcsonline commented 10 years ago

Thanks! I'll do it.