Merge pull request increments#84 from increments/fix-xss

Fix transformers to avoid XSS

Author: getty104

lib/qiita/markdown/transformers/filter_iframe.rb

@@ -42,10 +42,10 @@ def node
 
         def host_of(url)
           if url
-            port = URI.parse(url).port
-            Addressable::URI.parse(url).host if [443, 80].include? port
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
           end
-        rescue Addressable::URI::InvalidURIError
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

lib/qiita/markdown/transformers/filter_script.rb

@@ -44,10 +44,10 @@ def node
 
         def host_of(url)
           if url
-            port = URI.parse(url).port
-            Addressable::URI.parse(url).host if [443, 80].include? port
+            scheme = URI.parse(url).scheme
+            Addressable::URI.parse(url).host if ["http", "https"].include? scheme
           end
-        rescue Addressable::URI::InvalidURIError
+        rescue Addressable::URI::InvalidURIError, URI::InvalidURIError
           nil
         end
       end

spec/qiita/markdown/processor_spec.rb

@@ -1616,7 +1616,7 @@
       context "with embed iframe code with xss" do
         let(:markdown) do
           <<-MARKDOWN.strip_heredoc
-            <iframe src="javascript://docs.google.com/presentation/d/example/embed" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
+            <iframe src="javascript://docs.google.com:80/%0d%0aalert(document.domain)" frameborder="0" width="482" height="300" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
           MARKDOWN
 
           it "forces width attribute on iframe" do