Escape original content in reference redactor

Merge branch 'security-fix-reference-redactor-xss-14-9' into '14-9-stable-ee' See merge request gitlab-org/security/gitlab!2317 Changelog: security

Escape original content in reference redactor
b33b170a · Heinrich Lee Yu · GitLab Release Tools Bot · 999a4a9a · b33b170a · b33b170a
Commit b33b170a authored 2 years ago by Heinrich Lee Yu Committed by GitLab Release Tools Bot 2 years ago
--- a/lib/banzai/reference_redactor.rb
+++ b/lib/banzai/reference_redactor.rb
@@ -65,16 +65,15 @@ module Banzai
    #
    def redacted_node_content(node)
      original_content = node.attr('data-original')
-      link_reference = node.attr('data-link-reference')
+      original_content = CGI.escape_html(original_content) if original_content
  
      # Build the raw <a> tag just with a link as href and content if
      # it's originally a link pattern. We shouldn't return a plain text href.
      original_link =
-        if link_reference == 'true'
+        if node.attr('data-link-reference') == 'true'
          href = node.attr('href')
-          content = original_content
  
-          %(<a href="#{href}">#{content}</a>)
+          %(<a href="#{href}">#{original_content}</a>)
        end
  
      # The reference should be replaced by the original link's content,

--- a/spec/lib/banzai/reference_redactor_spec.rb
+++ b/spec/lib/banzai/reference_redactor_spec.rb
@@ -35,7 +35,7 @@ RSpec.describe Banzai::ReferenceRedactor do
      end
  
      context 'when data-original attribute provided' do
-        let(:original_content) { '<code>foo</code>' }
+        let(:original_content) { '&lt;script&gt;alert(1);&lt;/script&gt;' }
  
        it 'replaces redacted reference with original content' do
          doc = Nokogiri::HTML.fragment("<a class='gfm' href='https://www.gitlab.com' data-reference-type='issue' data-original='#{original_content}'>bar</a>")