SECURITY: category badges should HTML escape names

2018-06-28 18:14:55 +10:00 · 2018-06-28 18:14:55 +10:00 · db14e10943
parent ec3e6a81a4
commit db14e10943
3 changed files with 22 additions and 4 deletions
--- a/app/models/category.rb
+++ b/app/models/category.rb
@ -217,7 +217,7 @@ class Category < ActiveRecord::Base

    @@cache ||= LruRedux::ThreadSafeCache.new(1000)
    @@cache.getset(self.description) do
-      Nokogiri::HTML.fragment(self.description).text.strip
+      Nokogiri::HTML.fragment(self.description).text.strip.html_safe
    end
  end

--- a/lib/category_badge.rb
+++ b/lib/category_badge.rb
@ -79,7 +79,7 @@ module CategoryBadge

    # category name
    class_names = 'badge-category clear-badge'
-    description = category.description_text ? "title='#{category.description_text.html_safe}'" : ''
+    description = category.description_text ? "title='#{category.description_text}'" : ''
    category_url = opts[:absolute_url] ? "#{Discourse.base_url_no_prefix}#{category.url}" : category.url

    extra_span_classes =
@ -102,7 +102,10 @@ module CategoryBadge
    result << "<span style='#{extra_span_classes}' data-drop-close='true' class='#{class_names}'
                 #{description}>"

-    result << category.name.html_safe << '</span>'
-    "<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
+    result << ERB::Util.html_escape(category.name) << '</span>'
+
+    result = "<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
+
+    result.html_safe
  end
 end
--- a/spec/components/category_badge_spec.rb
+++ b/spec/components/category_badge_spec.rb
@ -0,0 +1,15 @@
+require 'rails_helper'
+require 'category_badge'
+
+describe CategoryBadge do
+  it "escapes HTML in category names / descriptions" do
+    c = Fabricate(:category, name: '<b>name</b>', description: '<b>title</b>')
+
+    html = CategoryBadge.html_for(c)
+
+    expect(html).not_to include("<b>title</b>")
+    expect(html).not_to include("<b>name</b>")
+    expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
+    expect(html).to include("title='title'")
+  end
+end