SECURITY: Encode embed url (#21133)

The embed_url in "This is a companion discussion..." could be used for XSS. Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
2023-04-18 15:05:29 +08:00 · 2023-04-18 15:05:29 +08:00 · f3f30d6865
parent 0f7eeb5500
commit f3f30d6865
2 changed files with 11 additions and 0 deletions
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@ -29,6 +29,7 @@ class TopicEmbed < ActiveRecord::Base
  end

  def self.imported_from_html(url)
+    url = UrlHelper.normalized_encode(url)
    I18n.with_locale(SiteSetting.default_locale) do
      "\n<hr>\n<small>#{I18n.t("embed.imported_from", link: "<a href='#{url}'>#{url}</a>")}</small>\n"
    end
--- a/spec/models/topic_embed_spec.rb
+++ b/spec/models/topic_embed_spec.rb
@ -457,5 +457,15 @@ RSpec.describe TopicEmbed do
      I18n.locale = :de
      expect(TopicEmbed.imported_from_html("some_url")).to eq(expected_html)
    end
+
+    it "normalize_encodes the url" do
+      html =
+        TopicEmbed.imported_from_html(
+          'http://www.discourse.org/%23<%2Fa><img%20src%3Dx%20onerror%3Dalert("document.domain")%3B>',
+        )
+      expected_html =
+        "\n<hr>\n<small>This is a companion discussion topic for the original entry at <a href='http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E'>http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E</a></small>\n"
+      expect(html).to eq(expected_html)
+    end
  end
 end