Merge pull request #914 from plone/isURLInPortal-hotfix

Apply isURLInPortal fix from https://pypi.python.org/pypi/Products.PloneHotfix20150910
plone · Sep 10, 2015 · 3da710a · 3da710a
2 parents 43a10d9 + 02de70b
commit 3da710a
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -8,6 +8,9 @@ Changelog
 5.0rc2 (unreleased)
 -------------------
 
+- Apply isURLInPortal fix from https://pypi.python.org/pypi/Products.PloneHotfix20150910
+  [vangheem]
+
 - Do not bother additional CRSF protection for addMember since all public
   users get same CSRF token and the method should be unpublished.
   See https://pypi.python.org/pypi/Products.PloneHotfix20150910

diff --git a/Products/CMFPlone/URLTool.py b/Products/CMFPlone/URLTool.py
@@ -30,6 +30,9 @@ def isURLInPortal(self, url, context=None):
         """
         # sanitize url
         url = re.sub('^[\x00-\x20]+', '', url).strip()
+        if ('<script' in url or '%3Cscript' in url or 'javascript:' in url or
+                'javascript%3A' in url):
+            return False
 
         p_url = self()
 

diff --git a/Products/CMFPlone/tests/testURLTool.py b/Products/CMFPlone/tests/testURLTool.py
@@ -96,3 +96,16 @@ def test_isURLInPortalExternal(self):
         self.assertFalse(iURLiP('http://external4/other'))
         self.assertFalse(iURLiP('http://external5'))
         self.assertFalse(iURLiP('http://external11'))
+
+    def test_script_tag_url_not_in_portal(self):
+        url_tool = self._makeOne()
+        iURLiP = url_tool.isURLInPortal
+        self.assertFalse(iURLiP('<script>alert("hi");</script>'))
+        self.assertFalse(
+            iURLiP('%3Cscript%3Ealert(%22hi%22)%3B%3C%2Fscript%3E'))
+
+    def test_inline_url_not_in_portal(self):
+        url_tool = self._makeOne()
+        iURLiP = url_tool.isURLInPortal
+        self.assertFalse(iURLiP('javascript%3Aalert(3)'))
+        self.assertFalse(iURLiP('javascript:alert(3)'))