Merge branch 'rs-issue-2257' into 'master'

Recover from URI::Error

`URI::Error` is the base class for all URI errors.

Fixes #2257 and #2260

See merge request !1789

2 files changed, 18 insertions, 4 deletions

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 20457572a08..2b41d421610 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -255,11 +255,15 @@ module ApplicationHelper
   #
   # Returns `html_options`, adding `rel: nofollow` for external links
   def add_nofollow(link, html_options = {})
-    uri = URI(link)
+    begin
+      uri = URI(link)
 
-    if uri && uri.absolute? && uri.host != Gitlab.config.gitlab.host
-      rel = html_options.fetch(:rel, '')
-      html_options[:rel] = (rel + ' nofollow').strip
+      if uri && uri.absolute? && uri.host != Gitlab.config.gitlab.host
+        rel = html_options.fetch(:rel, '')
+        html_options[:rel] = (rel + ' nofollow').strip
+      end
+    rescue URI::Error
+      # noop
     end
 
     html_options
diff --git a/spec/helpers/application_helper_spec.rb b/spec/helpers/application_helper_spec.rb
index 015a66f7fa0..d4cf6540080 100644
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@@ -249,6 +249,16 @@ describe ApplicationHelper do
       expect(link_to('Example', 'http://example.foo/bar')).
         to eq '<a href="http://example.foo/bar">Example</a>'
     end
+
+    it 'should not raise an error when given a bad URI' do
+      expect { link_to('default', 'if real=1 RANDOM; if real>1 IDLHS; if real>500 LHS') }.
+        not_to raise_error
+    end
+
+    it 'should not raise an error when given a bad mailto URL' do
+      expect { link_to('email', 'mailto://foo.bar@example.es?subject=Subject%20Line') }.
+        not_to raise_error
+    end
   end
 
   describe 'markup_render' do