From c61c394ab57ad5cc60fc0e2e5749f411ca16c88a Mon Sep 17 00:00:00 2001
From: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Date: Sun, 30 Jul 2017 13:34:16 +0200
Subject: [PATCH] Encode target url and adapted unit tests

---
 src/restricted_html.cpp       |    2 +-
 test/test_restricted_html.cpp |   36 +++++++++++++++++++++++++++++++++---
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/src/restricted_html.cpp b/src/restricted_html.cpp
index 705d927..52e68ec 100644
--- a/src/restricted_html.cpp
+++ b/src/restricted_html.cpp
@@ -98,7 +98,7 @@ bool link_sanitizer(string &tag)
     if (link.find("javascript:") != string::npos)
         return false;
 
-    tag = AHREF + "\"" + REDIRECT_PREFIX + link + "\" " + TARGET_BLANK + ">";
+    tag = AHREF + "\"" + REDIRECT_PREFIX + encode_url(link) + "\" " + TARGET_BLANK + ">";
 
     return true;
 }
diff --git a/test/test_restricted_html.cpp b/test/test_restricted_html.cpp
index b32e403..b4d21ae 100644
--- a/test/test_restricted_html.cpp
+++ b/test/test_restricted_html.cpp
@@ -36,7 +36,7 @@ BOOST_AUTO_TEST_SUITE(test_restricted_html)
 BOOST_AUTO_TEST_CASE(BasicTest)
 {
     string output = restrict_html("<h1>Table</h1><table>  <tr><th>Month</th>    <th>Savings</th>  </tr>  <tr>    <td>January</td>    <td>$100</td>  </tr></table> <p>Paragraph with a <a href=\"https://example.de\"><i>Acceptable Link</i></a>.</p> <ul>  <li>Coffee</li>   <li>Tea</li>  <li>Milk</li></ul>");
-    BOOST_CHECK_EQUAL(string("<h1>Table</h1><table>  <tr><th>Month</th>    <th>Savings</th>  </tr>  <tr>    <td>January</td>    <td>$100</td>  </tr></table> <p>Paragraph with a <a href=\"/arnie?form=redirect&url=https://example.de\" target=_blank><i>Acceptable Link</i></a>.</p> <ul>  <li>Coffee</li>   <li>Tea</li>  <li>Milk</li></ul>"), output);
+    BOOST_CHECK_EQUAL(string("<h1>Table</h1><table>  <tr><th>Month</th>    <th>Savings</th>  </tr>  <tr>    <td>January</td>    <td>$100</td>  </tr></table> <p>Paragraph with a <a href=\"/arnie?form=redirect&url=https%3A%2F%2Fexample%2Ede\" target=_blank><i>Acceptable Link</i></a>.</p> <ul>  <li>Coffee</li>   <li>Tea</li>  <li>Milk</li></ul>"), output);
 }
 
 BOOST_AUTO_TEST_CASE(ScriptInjection)
@@ -90,7 +90,7 @@ BOOST_AUTO_TEST_CASE(ExtraAttribute3)
 BOOST_AUTO_TEST_CASE(AhrefLink)
 {
     string output = restrict_html("<a href=\"http://i2n.de/\" >test</a>");
-    BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http://i2n.de/\" target=_blank>test</a>"), output);
+    BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http%3A%2F%2Fi2n%2Ede%2F\" target=_blank>test</a>"), output);
 }
 
 BOOST_AUTO_TEST_CASE(AhrefLink2)
@@ -102,7 +102,7 @@ BOOST_AUTO_TEST_CASE(AhrefLink2)
 BOOST_AUTO_TEST_CASE(AhrefProtocol)
 {
     string output = restrict_html("<a href=\"http://www.foo.com\">foo</a>");
-    BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http://www.foo.com\" target=_blank>foo</a>"), output);
+    BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http%3A%2F%2Fwww%2Efoo%2Ecom\" target=_blank>foo</a>"), output);
 }
 
 BOOST_AUTO_TEST_CASE(AhrefWrongProtocol)
@@ -135,6 +135,36 @@ BOOST_AUTO_TEST_CASE(UnsafeURLChars2)
     BOOST_CHECK_EQUAL(string(" Test Me!!"), output);
 }
 
+BOOST_AUTO_TEST_CASE(EncodedURL)
+{
+    string output = restrict_html("<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">test</A>");
+    BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http%3A%2F%2Fwww%2Egoogle%2Ecom\" target=_blank>test</a>"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidRedirection)
+{
+    string output = restrict_html("<a href=\"/arnie?form=redirect&url=javascript:alert(String.fromCharCode(88,83,83))\">test</a>");
+    BOOST_CHECK_EQUAL(string("test"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidRedirection2)
+{
+    string output = restrict_html("<a href=/arnie?form=redirect&url=http://something.com;href=javascript:alert(1)>test</a>");
+    BOOST_CHECK_EQUAL(string("test"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidTag)
+{
+    string output = restrict_html("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>");
+    BOOST_CHECK_EQUAL(string("alert(&#x27;XSS&#x27;);"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidTag2)
+{
+    string output = restrict_html("<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>");
+    BOOST_CHECK_EQUAL(string(""), output);
+}
+
 BOOST_AUTO_TEST_CASE(DecodeStringURL)
 {
     string output = decode_url("%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D");
-- 
1.7.1