From 35b59cfa78c25eb53f76c21c47576ce30734fc07 Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 10 Jan 2019 12:02:05 +1100 Subject: [PATCH] SECURITY: escape title HTML for inline onebox --- lib/cooked_post_processor.rb | 2 +- spec/components/cooked_post_processor_spec.rb | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb index 1e8b0a0f312..9ab9ca6b157 100644 --- a/lib/cooked_post_processor.rb +++ b/lib/cooked_post_processor.rb @@ -655,7 +655,7 @@ class CookedPostProcessor ) if title = inline_onebox&.dig(:title) - element.children = title + element.children = CGI.escapeHTML(title) element.add_class(INLINE_ONEBOX_CSS_CLASS) end diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb index a8bedc1a737..9e2628a4c57 100644 --- a/spec/components/cooked_post_processor_spec.rb +++ b/spec/components/cooked_post_processor_spec.rb @@ -185,7 +185,8 @@ describe CookedPostProcessor do ] end - let(:title) { 'some title' } + let(:title) { 'some title' } + let(:escaped_title) { CGI.escapeHTML(title) } let(:post) do Fabricate(:post, raw: <<~RAW) @@ -203,7 +204,7 @@ describe CookedPostProcessor do urls.each do |url| stub_request(:get, url).to_return( status: 200, - body: "#{title}" + body: "#{escaped_title}" ) end end