discourse/discourse
1
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-09 14:34:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: fix XSS

Browse Source
This commit is contained in:
Sam Saffron 2014-06-16 10:24:54 +10:00
parent 258c353307
commit d65efe7304
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/discourse_diff.rb
View File

@ -261,6 +261,7 @@ class DiscourseDiff
end end
def characters(string) def characters(string)
string = CGI::escapeHTML(string)
@tokens.concat string.scan(/(\W|\w+[ \t]*)/).flatten @tokens.concat string.scan(/(\W|\w+[ \t]*)/).flatten
end end

11
spec/components/discourse_diff_spec.rb
View File

@ -5,6 +5,17 @@ describe DiscourseDiff do
describe "inline_html" do describe "inline_html" do
it "doest not lead to XSS" do
a = "<test>start</test>"
b = "<test>end</test>"
prev = "<div>#{CGI::escapeHTML(a)}</div>"
cur = "<div>#{CGI::escapeHTML(b)}</div>"
diff = DiscourseDiff.new(prev,cur)
diff.inline_html.should_not =~ /<\/?test>/
diff.side_by_side_html.should_not =~ /<\/?test>/
end
it "returns an empty div when no content is diffed" do it "returns an empty div when no content is diffed" do
DiscourseDiff.new("", "").inline_html.should == "<div class=\"inline-diff\"></div>" DiscourseDiff.new("", "").inline_html.should == "<div class=\"inline-diff\"></div>"
end end