SECURITY: Correctly parse URLs in chat excerpts
This commit is contained in:
parent
07f6952beb
commit
1da97de7f0
|
@ -122,7 +122,14 @@ module Chat
|
|||
|
||||
def build_excerpt
|
||||
# just show the URL if the whole message is a URL, because we cannot excerpt oneboxes
|
||||
return message if UrlHelper.relaxed_parse(message).is_a?(URI)
|
||||
urls = PrettyText.extract_links(cooked).map(&:url)
|
||||
if urls.present?
|
||||
regex = %r{^[^:]+://}
|
||||
clean_urls = urls.map { |url| url.sub(regex, "") }
|
||||
if message.gsub(regex, "").split.sort == clean_urls.sort
|
||||
return PrettyText.excerpt(urls.join(" "), EXCERPT_LENGTH)
|
||||
end
|
||||
end
|
||||
|
||||
# upload-only messages are better represented as the filename
|
||||
return uploads.first.original_filename if cooked.blank? && uploads.present?
|
||||
|
|
|
@ -296,6 +296,15 @@ RSpec.describe "Chat channel", type: :system do
|
|||
)
|
||||
end
|
||||
|
||||
it "renders escaped HTML when including a #" do
|
||||
update_message!(message_2, user: other_user, text: "#general <abbr>not abbr</abbr>")
|
||||
chat_page.visit_channel(channel_1)
|
||||
|
||||
expect(find(".chat-reply .chat-reply__excerpt")["innerHTML"].strip).to eq(
|
||||
"#general <abbr>not abbr</abbr>",
|
||||
)
|
||||
end
|
||||
|
||||
it "renders safe HTML like mentions (which are just links) in the reply-to" do
|
||||
update_message!(
|
||||
message_2,
|
||||
|
|
Loading…
Reference in New Issue