Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
AO3-4200 Add rel=nofollow to links to reduce SEO usefulness for spammers #3137
Conversation
| @@ -27,6 +27,10 @@ module Config | ||
| 'th' => ['abbr', 'axis', 'colspan', 'height', 'rowspan', 'scope', 'width'], | ||
| 'ul' => ['type'], | ||
| }, | ||
| + | ||
| + add_attributes: { | ||
| + 'a' => {'rel' => 'nofollow'} |
sarken
added
the
Awaiting review
label
Nov 2, 2017
| - end | ||
| - | ||
| + | ||
| + context "Sanitize tags allowed only in the content field" do |
| + end | ||
| + | ||
| + context "Strip out tags not allowed in text fields other than content" do | ||
| + [:endnotes, :notes, :summary].each do |field| |
| - ].each do |value| | ||
| - it "should strip script tags: #{value}" do | ||
| - result = sanitize_value(:content, value) | ||
| + [:content, :endnotes, :notes, :summary].each do |field| |
| - it "should strip script tags: #{value}" do | ||
| - result = sanitize_value(:content, value) | ||
| + [:content, :endnotes, :notes, :summary].each do |field| | ||
| + context "Sanitize #{field} field" do |
| + | ||
| + ["'';!--\"<XSS>=&{()}", | ||
| + '<XSS STYLE="behavior: url(xss.htc);">' | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
| + "<SCRIPT>alert(/XSS/.source)</SCRIPT>", | ||
| + '</TITLE><SCRIPT>alert("XSS");</SCRIPT>', | ||
| + '<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>' | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
| + ["\\\";alert('XSS');//", | ||
| + "xss:expr/*blah*/ession(alert('XSS'))", | ||
| + "xss:expression(alert('XSS'))" | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
| + "<IMG SRC=\"jav	ascript:alert('XSS');\">", | ||
| + "<IMG SRC=\"jav
ascript:alert('XSS');\">", | ||
| + "<IMG SRC=\"jav
ascript:alert('XSS');\">", | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
| + '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', | ||
| + "<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">", | ||
| + "<META HTTP-EQUIV=\"Set-Cookie\" Content=\"USERID=<SCRIPT>alert('XSS')</SCRIPT>\">" | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
| + | ||
| + ["<BODY ONLOAD=alert('XSS')>", | ||
| + '<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
| + | ||
| + ["<!--#exec cmd=\"/bin/echo '<SCR'\"-->", | ||
| + "<!--#exec cmd=\"/bin/echo 'IPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'\"-->" | ||
| + ].each do |value| |
houndci-bot
Nov 3, 2017
Closing array brace must be on the same line as the last array element when opening brace is on the same line as the first array element.
ariana-paris commentedNov 2, 2017
Issue
https://otwarchive.atlassian.net/browse/AO3-4200
Purpose
Adds rel="nofollow" to all tags in sanitised fields to reduce their usefulness as SEO-boosters for spam.
Testing
See JIRA.