SECURITY: Properly escape user content within `<noscript>` (stable)
This commit is contained in:
parent
177147f0ac
commit
568d704a94
|
@ -736,6 +736,10 @@ module ApplicationHelper
|
|||
absolute_url
|
||||
end
|
||||
|
||||
def escape_noscript(&block)
|
||||
raw capture(&block).gsub(%r{<(/\s*noscript)}i, '<\1')
|
||||
end
|
||||
|
||||
def manifest_url
|
||||
# If you want the `manifest_url` to be different for a specific action,
|
||||
# in the action set @manifest_url = X. Originally added for chat to add a
|
||||
|
|
|
@ -99,15 +99,17 @@
|
|||
|
||||
<%= render_google_tag_manager_body_code %>
|
||||
<noscript data-path="<%= request.env['PATH_INFO'] %>">
|
||||
<%= render partial: "layouts/noscript_header" %>
|
||||
<%= escape_noscript do %>
|
||||
<%= render partial: "layouts/noscript_header" %>
|
||||
|
||||
<div id="main-outlet" class="wrap" role="main">
|
||||
<!-- preload-content: -->
|
||||
<%= yield %>
|
||||
<!-- :preload-content -->
|
||||
</div>
|
||||
<div id="main-outlet" class="wrap" role="main">
|
||||
<!-- preload-content: -->
|
||||
<%= yield %>
|
||||
<!-- :preload-content -->
|
||||
</div>
|
||||
|
||||
<%= render partial: "layouts/noscript_footer" %>
|
||||
<%= render partial: "layouts/noscript_footer" %>
|
||||
<% end %>
|
||||
</noscript>
|
||||
|
||||
<%- unless customization_disabled? %>
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# frozen_string_literal: true
|
||||
RSpec.describe "escaping of noscript content" do
|
||||
def noscript_content
|
||||
# Browsers do not parse the contents of noscript tags - they just look for the next string matching `</noscript>`
|
||||
# Can't use nokogiri because it parses documents with the 'scripting flag' disabled, and therefore parses html inside noscript tags
|
||||
noscript_content = response.body.scan(%r{<noscript.*?>(.*?)</noscript>}m).join("\n")
|
||||
end
|
||||
|
||||
it "does not affect normal content" do
|
||||
post = Fabricate(:post, raw: 'This is a post with an image <img alt="<Look at this!>">')
|
||||
get post.url
|
||||
|
||||
expect(noscript_content).to include('<img alt="<Look at this!>">')
|
||||
end
|
||||
|
||||
it "escapes noscript in attribute" do
|
||||
post =
|
||||
Fabricate(
|
||||
:post,
|
||||
raw: 'This is a post with an image <img alt="</noscript>"> containing a noscript end tag',
|
||||
)
|
||||
get post.url
|
||||
|
||||
expect(noscript_content).to include('<img alt="</noscript>">')
|
||||
end
|
||||
|
||||
it "escapes noscript with trailing whitespace" do
|
||||
post =
|
||||
Fabricate(
|
||||
:post,
|
||||
raw: 'This is a post with an image <img alt="</noscript >"> containing a noscript end tag',
|
||||
)
|
||||
get post.url
|
||||
|
||||
expect(noscript_content).to include('<img alt="</noscript >">')
|
||||
end
|
||||
|
||||
it "escapes noscript with leading whitespace" do
|
||||
# The spec doesn't accept closing tags with leading whitespace. Browsers follow that, but some other parsers are more relaxed so we escape anyway
|
||||
post =
|
||||
Fabricate(
|
||||
:post,
|
||||
raw: 'This is a post with an image <img alt="</ noscript>"> containing a noscript end tag',
|
||||
)
|
||||
get post.url
|
||||
|
||||
expect(noscript_content).to include('<img alt="</ noscript>">')
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue