From 6d5144b0d720a5a8940d5ef08dd60cd665ca04f1 Mon Sep 17 00:00:00 2001
From: Charmander <campersander@gmail.com>
Date: Wed, 12 Feb 2014 18:19:30 -0800
Subject: Added proper HTML scrubbing.

---
 Gemfile                                                     | 1 +
 lib/redmine/wiki_formatting/markdown/formatter.rb           | 5 +++--
 test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb | 5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Gemfile b/Gemfile
index e84b8b3..2a52093 100644
--- a/Gemfile
+++ b/Gemfile
@@ -32,6 +32,7 @@ platforms :mri, :mingw do
   group :markdown do
     # TODO: upgrade to redcarpet 3.x when ruby1.8 support is dropped
     gem "redcarpet", "~> 2.3.0"
+    gem "loofah", "~> 1.2.0"
   end
 end
 
diff --git a/lib/redmine/wiki_formatting/markdown/formatter.rb b/lib/redmine/wiki_formatting/markdown/formatter.rb
index c340fc1..e78d867 100644
--- a/lib/redmine/wiki_formatting/markdown/formatter.rb
+++ b/lib/redmine/wiki_formatting/markdown/formatter.rb
@@ -16,6 +16,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 require 'cgi'
+require 'loofah'
 
 module Redmine
   module WikiFormatting
@@ -57,7 +58,8 @@ module Redmine
           html.gsub!(/(\w):&quot;(.+?)&quot;/) do
             "#{$1}:\"#{$2}\""
           end
-          html
+          # return scrubbed HTML
+          Loofah.fragment(html).scrub!(:strip).to_s
         end
 
         def get_section(index)
@@ -119,7 +121,6 @@ module Redmine
         def formatter
           @@formatter ||= Redcarpet::Markdown.new(
             Redmine::WikiFormatting::Markdown::HTML.new(
-              :filter_html => true,
               :hard_wrap => true
             ),
             :autolink => true,
diff --git a/test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb b/test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb
index 458bc43..7ac36d4 100644
--- a/test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb
+++ b/test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb
@@ -60,5 +60,10 @@ STR
     assert_equal '<p>This is a <a href="/issues">link</a></p>', @formatter.new(text).to_html.strip
   end
 
+  def test_html_is_safe
+    text = '<script>alert(1)</script> <b onclick="alert(1)">clickable</b> [bad link](javascript:alert(1\\))'
+    assert_equal '<p>alert(1) <b>clickable</b> <a class="external">bad link</a></p>', @formatter.new(text).to_html.strip
+  end
+
   end
 end
-- 
1.8.5.4