Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: escape title HTML for inline onebox

This commit is contained in:
Sam 2019-01-10 12:02:05 +11:00
parent c85b9c6ed3
commit 35b59cfa78
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cooked_post_processor.rb
View File

@ -655,7 +655,7 @@ class CookedPostProcessor
) )
if title = inline_onebox&.dig(:title) if title = inline_onebox&.dig(:title)
element.children = title element.children = CGI.escapeHTML(title)
element.add_class(INLINE_ONEBOX_CSS_CLASS) element.add_class(INLINE_ONEBOX_CSS_CLASS)
end end

5
spec/components/cooked_post_processor_spec.rb
View File

@ -185,7 +185,8 @@ describe CookedPostProcessor do
] ]
end end
let(:title) { 'some title' } let(:title) { '<b>some title</b>' }
let(:escaped_title) { CGI.escapeHTML(title) }
let(:post) do let(:post) do
Fabricate(:post, raw: <<~RAW) Fabricate(:post, raw: <<~RAW)
@ -203,7 +204,7 @@ describe CookedPostProcessor do
urls.each do |url| urls.each do |url|
stub_request(:get, url).to_return( stub_request(:get, url).to_return(
status: 200, status: 200,
body: "<html><head><title>#{title}</title></head></html>" body: "<html><head><title>#{escaped_title}</title></head></html>"
) )
end end
end end