Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Prefer Loofah for processing cooked HTML

This commit is contained in:
Bianca Nenciu 2021-02-24 17:14:43 +02:00 committed by Bianca Nenciu
parent daf34ae7e2
commit 0c8d658ba8
No known key found for this signature in database
GPG Key ID: 07E83B117A6B844D
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cooked_post_processor.rb
View File

@ -22,7 +22,7 @@ class CookedPostProcessor
@cooking_options = @cooking_options.symbolize_keys
cooked = post.cook(post.raw, @cooking_options)
@doc = Nokogiri::HTML5::fragment(cooked)
@doc = Loofah.fragment(cooked)
@has_oneboxes = post.post_analyzer.found_oneboxes?
@size_cache = {}

8
spec/components/cooked_post_processor_spec.rb
View File

@ -1809,4 +1809,12 @@ describe CookedPostProcessor do
end
end
context "#html" do
it "escapes attributes" do
post = Fabricate(:post, raw: '<img alt="<something>">')
expect(post.cook(post.raw)).to eq('<p><img alt="&lt;something&gt;"></p>')
expect(CookedPostProcessor.new(post).html).to eq('<p><img alt="&lt;something&gt;"></p>')
end
end
end