Security: Quotes in href are not escaped

Question

Security: Quotes in href are not escaped

pschyska opened this issue 11 years ago · 3 comments

Consider the following:

[2] pry(main)> puts helper.auto_link %{http://"onmouseover='alert(1)'a="a.jpg}
<a href="http://"onmouseover='alert(1)'a="a.jpg">http://"onmouseover='alert(1)'a="a.jpg</a>

In this case, someone could inject a attributes, because the " in the input string closes the href attribute. Shouldn't " be url encoded here?
I didn't find a way to make rails_autolink do that.

Thanks,

Paul

Answer 1 · 2013-11-04T14:31:58.000Z

URI::encode'ing like this pschyska@60fac26 helps. I'm not 100% that that's the correct way to approach this.
Also, I didn't get your test suite to run. Any special requirements for that?

Answer 2 · 2014-03-11T17:35:50.000Z

I'm having trouble replicating this:

[22] pry(main)> puts helper.auto_link %{http://"onmouseover='alert(1)'a="a.jpg}
http://"onmouseover='alert(1)'a="a.jpg

is there something I'm missing? Do you have the latest version?

Answer 3 · 2016-06-20T17:05:32.000Z

Can not replicate this with http://"onmouseover='alert(1)'a="a.jpg