Sha256: 700cd4bb7b1342e076878df9a1191f7493ad60dca8ef25248aeae6d525c06c89
Contents?: true
Size: 993 Bytes
Versions: 1
Compression:
Stored size: 993 Bytes
Contents
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684 require 'redcloth' describe 'CVE-2012-6684' do it 'should not let javascript links pass through' do # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html expect(output).to_not match(/href=.javascript:alert/) end it 'should not let javascript links pass through on images' do output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"').to_html expect(output).to match(/src=.javascript:alert/) expect(output).to match(/href=.javascript:prompt/) output = RedCloth.new('"!<javascript:alert(1)(2)!:javascript:prompt(document.domain)"', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html expect(output).to_not match(/src=.javascript:alert/) expect(output).to_not match(/href=.javascript:prompt/) end end
Version data entries
1 entries across 1 versions & 1 rubygems
Version | Path |
---|---|
RedCloth-4.3.1 | spec/security/CVE-2012-6684_spec.rb |