Fix transformers to avoid XSS

getty104 · getty104 · commit 5a5ffe53647e · 2021-03-18T12:16:46.000+09:00
diff --git a/lib/qiita/markdown/transformers/filter_iframe.rb b/lib/qiita/markdown/transformers/filter_iframe.rb
@@ -42,8 +42,8 @@ def node
 
         def host_of(url)
           if url
-            port = URI.parse(url).port
-            Addressable::URI.parse(url).host if [443, 80].include? port
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
           end
         rescue Addressable::URI::InvalidURIError
           nil
diff --git a/lib/qiita/markdown/transformers/filter_script.rb b/lib/qiita/markdown/transformers/filter_script.rb
@@ -44,8 +44,8 @@ def node
 
         def host_of(url)
           if url
-            port = URI.parse(url).port
-            Addressable::URI.parse(url).host if [443, 80].include? port
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
           end
         rescue Addressable::URI::InvalidURIError
           nil
diff --git a/spec/qiita/markdown/processor_spec.rb b/spec/qiita/markdown/processor_spec.rb
@@ -1616,7 +1616,7 @@
       context "with embed iframe code with xss" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
-            <iframe src="javascript://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+            <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
           MARKDOWN
 
           it "forces width attribute on iframe" do
