Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Keep onebox styling in edit history

This commit is contained in:
Penar Musaraj 2020-06-15 15:23:14 -04:00
parent 18244ff44c
commit 298393a5bc
No known key found for this signature in database
GPG Key ID: E390435D881FF0F7
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/assets/javascripts/discourse/app/controllers/history.js
View File

@ -261,9 +261,10 @@ export default Controller.extend(ModalFunctionality, {
this.set("bodyDiff", html);
} else {
const opts = {
features: { editHistory: true },
features: { editHistory: true, historyOneboxes: true },
whiteListed: {
editHistory: { custom: (tag, attr) => attr === "class" }
editHistory: { custom: (tag, attr) => attr === "class" },
historyOneboxes: ["header", "article", "div[style]"]
}
};

28
test/javascripts/controllers/history-test.js
View File

@ -40,6 +40,17 @@ QUnit.test("displayEdit", async function(assert) {
const html = `<div class="revision-content">
<p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt="" class="diff-del"><img/src=x onerror=alert(document.domain)>" width="276" height="183"></p>
</div>
<aside class="onebox whitelistedgeneric">
<header class="source">
<img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
<a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta 9 Aug 19</a>
</header>
<article class="onebox-body">
<img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
<h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
<div style="clear: both"></div>
</article>
</aside>
<table background="javascript:alert(\"HACKEDXSS\")">
<thead>
<tr>
@ -58,6 +69,17 @@ QUnit.test("displayEdit", async function(assert) {
const expectedOutput = `<div class="revision-content">
<p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt class="diff-del">" width="276" height="183"&gt;</p>
</div>
<aside class="onebox whitelistedgeneric">
<header class="source">
<img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
<a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta 9 Aug 19</a>
</header>
<article class="onebox-body">
<img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
<h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
<div style="clear: both"></div>
</article>
</aside>
<table>
<thead>
<tr>
@ -85,5 +107,9 @@ QUnit.test("displayEdit", async function(assert) {
await HistoryController.bodyDiffChanged();
const output = HistoryController.get("bodyDiff");
assert.equal(output, expectedOutput, "it keeps safe HTML");
assert.equal(
output,
expectedOutput,
"it keeps HTML safe and doesn't strip onebox tags"
);
});