diff --git a/CHANGELOG b/CHANGELOG
index 63077523aaa0dd1cb9424698b060eb08ba40fd43..917f9ed3a87739128f22eab6bb74da1d82021748 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
v 8.8.0 (unreleased)
- Assign labels and milestone to target project when moving issue. !3934 (Long Nguyen)
+ - Use a case-insensitive comparison in sanitizing URI schemes
- Project#open_branches has been cleaned up and no longer loads entire records into memory.
- Escape HTML in commit titles in system note messages
- Improve multiple branch push performance by memoizing permission checking
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 42dbab9d27e97d1a6067ceea3eb3acb6b5bb726e..ca80aac5a0894c810f5a0852cc43d05a125d9b65 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -63,7 +63,7 @@ def remove_unsafe_links
begin
uri = Addressable::URI.parse(node['href'])
- uri.scheme.strip! if uri.scheme
+ uri.scheme = uri.scheme.strip.downcase if uri.scheme
node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
rescue Addressable::URI::InvalidURIError
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb
index 27ce312b11c50066fd8b079a123c180513972f2b..b38e3b17e64b062aa6e60ceb61ee90a41d1f3afe 100644
--- a/spec/lib/banzai/filter/sanitization_filter_spec.rb
+++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb
@@ -22,6 +22,12 @@
expect(filter(act).to_html).to eq exp
end
+ it 'sanitizes mixed-cased javascript in attributes' do
+ act = %q(Text)
+ exp = 'Text'
+ expect(filter(act).to_html).to eq exp
+ end
+
it 'allows whitelisted HTML tags from the user' do
exp = act = "\n- Term
\n- Definition
\n
"
expect(filter(act).to_html).to eq exp