From 330912e1e5cf065218eef2bae9819c63ddef8e1b Mon Sep 17 00:00:00 2001 From: Maja Komel Date: Tue, 30 Jan 2018 01:02:23 +0100 Subject: [PATCH] FIX: allowed href scheme link can start with a + (#5537) * allowed href scheme link can start with a + * allow tel:// links only to start with + * add missing semicolon * add test --- app/assets/javascripts/pretty-text/sanitizer.js.es6 | 3 +++ spec/components/pretty_text_spec.rb | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/app/assets/javascripts/pretty-text/sanitizer.js.es6 b/app/assets/javascripts/pretty-text/sanitizer.js.es6 index 512e33284656f..3729dfa6e9a74 100644 --- a/app/assets/javascripts/pretty-text/sanitizer.js.es6 +++ b/app/assets/javascripts/pretty-text/sanitizer.js.es6 @@ -73,6 +73,9 @@ export function sanitize(text, whiteLister) { if (allowedHrefSchemes && allowedHrefSchemes.length > 0) { extraHrefMatchers = [new RegExp('^(' + allowedHrefSchemes.join('|') + '):\/\/[\\w\\.\\-]+','i')]; + if (allowedHrefSchemes.includes('tel')) { + extraHrefMatchers.push(new RegExp('^tel:\/\/\\+?[\\w\\.\\-]+','i')); + } } let result = xss(text, { diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb index 918056cc42fa3..6e0ee7e045860 100644 --- a/spec/components/pretty_text_spec.rb +++ b/spec/components/pretty_text_spec.rb @@ -811,6 +811,17 @@ def test_s3_cdn expect(cooked).to eq(n expected) end + it 'allows only tel URL scheme to start with a plus character' do + SiteSetting.allowed_href_schemes = "tel|steam" + cooked = cook("[Tel URL Scheme](tel://+452530579785)") + expected = '

Tel URL Scheme

' + expect(cooked).to eq(n expected) + + cooked2 = cook("[Steam URL Scheme](steam://+store/452530)") + expected2 = '

Steam URL Scheme

' + expect(cooked2).to eq(n expected2) + end + it "produces hashtag links" do category = Fabricate(:category, name: 'testing') category2 = Fabricate(:category, name: 'known')