jro_apps/redmine Commit - r15051:a4bc8980126f

Limits the schemes that inline images can use (#22926)....

Jean-Philippe Lang -

r15051:a4bc8980126f

parent child

Context file:

r15051:a4bc8980126f

lib/redcloth3.rb +3 0

              #  class RedCloth::Textile.new( str )
              class RedCloth3 < String
+                 include Redmine::Helpers::URL
                  VERSION = '3.0.4'
                  DEFAULT_RULES = [:textile, :markdown]
                          href, alt_title = check_refs( href ) if href
                          url, url_title = check_refs( url )
+                         return m unless uri_with_safe_scheme?(url)
                          out = ''
                          out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
                          out << "<img#{ shelve( atts ) } />"

lib/redmine/wiki_formatting/markdown/formatter.rb +6 0

                          "<pre>" + CGI.escapeHTML(code) + "</pre>"
                        end
                      end
+                     def image(link, title, alt_text)
+                       return unless uri_with_safe_scheme?(link)
+                       tag('img', :src => link, :alt => alt_text || "", :title => title)
+                     end
                    end
                    class Formatter

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages