Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Escape watched word in error message (#14434)

This commit is contained in:
Bianca Nenciu 2021-09-24 11:55:15 +03:00 committed by GitHub
parent e5754dedf4
commit 1f57b29147
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/new_post_manager.rb
View File

@ -201,10 +201,10 @@ class NewPostManager
result = NewPostResult.new(:created_post, false) result = NewPostResult.new(:created_post, false)
if matches.size == 1 if matches.size == 1
key = 'contains_blocked_word' key = 'contains_blocked_word'
translation_args = { word: matches[0] } translation_args = { word: CGI.escapeHTML(matches[0]) }
else else
key = 'contains_blocked_words' key = 'contains_blocked_words'
translation_args = { words: matches.join(', ') } translation_args = { words: CGI.escapeHTML(matches.join(', ')) }
end end
result.errors.add(:base, I18n.t(key, translation_args)) result.errors.add(:base, I18n.t(key, translation_args))
return result return result

4
lib/validators/watched_words_validator.rb
View File

@ -5,10 +5,10 @@ class WatchedWordsValidator < ActiveModel::EachValidator
if matches = WordWatcher.new(value).should_block?.presence if matches = WordWatcher.new(value).should_block?.presence
if matches.size == 1 if matches.size == 1
key = 'contains_blocked_word' key = 'contains_blocked_word'
translation_args = { word: matches[0] } translation_args = { word: CGI.escapeHTML(matches[0]) }
else else
key = 'contains_blocked_words' key = 'contains_blocked_words'
translation_args = { words: matches.join(', ') } translation_args = { words: CGI.escapeHTML(matches.join(', ')) }
end end
record.errors.add(:base, I18n.t(key, translation_args)) record.errors.add(:base, I18n.t(key, translation_args))
end end

8
spec/integration/watched_words_spec.rb
View File

@ -32,6 +32,14 @@ describe WatchedWord do
}.to_not change { Post.count } }.to_not change { Post.count }
end end
it "escapes the blocked word in error message" do
block_word = Fabricate(:watched_word, action: WatchedWord.actions[:block], word: "<a>")
manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id)
result = manager.perform
expect(result).to_not be_success
expect(result.errors[:base]&.first).to eq(I18n.t('contains_blocked_word', word: "&lt;a&gt;"))
end
it "should prevent the post from being created" do it "should prevent the post from being created" do
manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id) manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id)
should_block_post(manager) should_block_post(manager)