SECURITY: strip HTML tags in topic title in email digest

2016-03-08 20:08:23 +05:30 · 2016-03-08 20:08:23 +05:30 · dde91a54dc
parent 6c1d5b8cd3
commit dde91a54dc
2 changed files with 4 additions and 3 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -74,8 +74,9 @@ module ApplicationHelper
    end
  end

-  def unescape_emoji(title)
+  def format_topic_title(title)
    PrettyText.unescape_emoji(title)
+    strip_tags(title)
  end

  def with_format(format, &block)
--- a/app/views/user_notifications/digest.html.erb
+++ b/app/views/user_notifications/digest.html.erb
@ -20,7 +20,7 @@

      <%- @featured_topics.each_with_index do |t, i| %>
        <div class='featured-topic'>
-          <a href='<%= Discourse.base_url + t.relative_url %>' style='color: #<%= @anchor_color %>'><%= raw unescape_emoji(t.title) %></a>
+          <a href='<%= Discourse.base_url + t.relative_url %>' style='color: #<%= @anchor_color %>'><%= raw format_topic_title(t.title) %></a>
          <br/>
          <%= category_badge(t.category, inline_style: true, absolute_url: true) %>
        </div>
@ -43,7 +43,7 @@
      <%- @new_topics.each do |t| %>
        <ul>
          <li>
-            <a href='<%= Discourse.base_url + t.relative_url %>' style='color: #<%= @anchor_color %>'><%= raw unescape_emoji(t.title) %></a>
+            <a href='<%= Discourse.base_url + t.relative_url %>' style='color: #<%= @anchor_color %>'><%= raw format_topic_title(t.title) %></a>
            <span class='post-count'><%= t.posts_count %></span>
            <%= category_badge(t.category, inline_style: true, absolute_url: true) %>
          </li>