SECURITY: Stripping links could unescape html fragments
This commit is contained in:
parent
c16b8364ab
commit
19b4364d79
|
@ -250,7 +250,7 @@ module PrettyText
|
||||||
|
|
||||||
# If the user is not basic, strip links from their bio
|
# If the user is not basic, strip links from their bio
|
||||||
fragment = Nokogiri::HTML.fragment(string)
|
fragment = Nokogiri::HTML.fragment(string)
|
||||||
fragment.css('a').each {|a| a.replace(a.text) }
|
fragment.css('a').each {|a| a.replace(a.inner_html) }
|
||||||
fragment.to_html
|
fragment.to_html
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -218,6 +218,10 @@ describe PrettyText do
|
||||||
it "strips links but leaves the text content" do
|
it "strips links but leaves the text content" do
|
||||||
expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'>batman</a>")).to eq("I'm the linked batman")
|
expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'>batman</a>")).to eq("I'm the linked batman")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "escapes the text content" do
|
||||||
|
expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'><batman></a>")).to eq("I'm the linked <batman>")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "make_all_links_absolute" do
|
describe "make_all_links_absolute" do
|
||||||
|
|
Loading…
Reference in New Issue