Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Escape values of HTML attributes

This commit is contained in:
Dmitry Klimensky 2021-08-10 16:14:37 +03:00 committed by Robin Ward
parent 7dc8f8b794
commit d54b339809
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/discourse_diff.rb
View File

@ -256,7 +256,7 @@ class DiscourseDiff
USELESS_TAGS = %w{html body}
def start_element(name, attributes = [])
return if USELESS_TAGS.include?(name)
attrs = attributes.map { |a| " #{a[0]}=\"#{a[1]}\"" }.join
attrs = attributes.map { |a| " #{a[0]}=\"#{CGI::escapeHTML(a[1])}\"" }.join
@tokens << "<#{name}#{attrs}>"
end

5
spec/components/discourse_diff_spec.rb
View File

@ -107,6 +107,11 @@ describe DiscourseDiff do
expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p><del>&#39;</del></p></div><div class=\"revision-content\"><p></p></div>")
end
it "escapes attribute values" do
before = "<p data-attr='Some \"quoted\" string'></p>"
after = "<p data-attr='Some \"quoted\" string'></p>"
expect(DiscourseDiff.new(before, after).side_by_side_html).to eq("<div class=\"revision-content\"><p data-attr=\"Some &quot;quoted&quot; string\"></p></div><div class=\"revision-content\"><p data-attr=\"Some &quot;quoted&quot; string\"></p></div>")
end
end
describe "side_by_side_markdown" do