SECURITY: fix XSS

2014-06-16 10:24:54 +10:00 · 2014-06-16 10:24:54 +10:00 · d65efe7304
parent 258c353307
commit d65efe7304
2 changed files with 12 additions and 0 deletions
--- a/lib/discourse_diff.rb
+++ b/lib/discourse_diff.rb
@ -261,6 +261,7 @@ class DiscourseDiff
    end

    def characters(string)
+      string = CGI::escapeHTML(string)
      @tokens.concat string.scan(/(\W|\w+[ \t]*)/).flatten
    end

--- a/spec/components/discourse_diff_spec.rb
+++ b/spec/components/discourse_diff_spec.rb
@ -5,6 +5,17 @@ describe DiscourseDiff do

  describe "inline_html" do

+    it "doest not lead to XSS" do
+      a = "<test>start</test>"
+      b = "<test>end</test>"
+      prev = "<div>#{CGI::escapeHTML(a)}</div>"
+      cur = "<div>#{CGI::escapeHTML(b)}</div>"
+
+      diff = DiscourseDiff.new(prev,cur)
+      diff.inline_html.should_not =~ /<\/?test>/
+      diff.side_by_side_html.should_not =~ /<\/?test>/
+    end
+
    it "returns an empty div when no content is diffed" do
      DiscourseDiff.new("", "").inline_html.should == "<div class=\"inline-diff\"></div>"
    end