SECURITY: fix XSS

This commit is contained in:
Sam Saffron 2014-06-16 10:24:54 +10:00
parent 258c353307
commit d65efe7304
2 changed files with 12 additions and 0 deletions

View File

@ -261,6 +261,7 @@ class DiscourseDiff
end
def characters(string)
string = CGI::escapeHTML(string)
@tokens.concat string.scan(/(\W|\w+[ \t]*)/).flatten
end

View File

@ -5,6 +5,17 @@ describe DiscourseDiff do
describe "inline_html" do
it "doest not lead to XSS" do
a = "<test>start</test>"
b = "<test>end</test>"
prev = "<div>#{CGI::escapeHTML(a)}</div>"
cur = "<div>#{CGI::escapeHTML(b)}</div>"
diff = DiscourseDiff.new(prev,cur)
diff.inline_html.should_not =~ /<\/?test>/
diff.side_by_side_html.should_not =~ /<\/?test>/
end
it "returns an empty div when no content is diffed" do
DiscourseDiff.new("", "").inline_html.should == "<div class=\"inline-diff\"></div>"
end