SECURITY: escape title HTML for inline onebox
This commit is contained in:
parent
c85b9c6ed3
commit
35b59cfa78
|
@ -655,7 +655,7 @@ class CookedPostProcessor
|
|||
)
|
||||
|
||||
if title = inline_onebox&.dig(:title)
|
||||
element.children = title
|
||||
element.children = CGI.escapeHTML(title)
|
||||
element.add_class(INLINE_ONEBOX_CSS_CLASS)
|
||||
end
|
||||
|
||||
|
|
|
@ -185,7 +185,8 @@ describe CookedPostProcessor do
|
|||
]
|
||||
end
|
||||
|
||||
let(:title) { 'some title' }
|
||||
let(:title) { '<b>some title</b>' }
|
||||
let(:escaped_title) { CGI.escapeHTML(title) }
|
||||
|
||||
let(:post) do
|
||||
Fabricate(:post, raw: <<~RAW)
|
||||
|
@ -203,7 +204,7 @@ describe CookedPostProcessor do
|
|||
urls.each do |url|
|
||||
stub_request(:get, url).to_return(
|
||||
status: 200,
|
||||
body: "<html><head><title>#{title}</title></head></html>"
|
||||
body: "<html><head><title>#{escaped_title}</title></head></html>"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue