SECURITY: Encode embed url (#21134)

The embed_url in "This is a companion discussion..." could be used for
XSS.

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
This commit is contained in:
Ted Johansson 2023-04-18 15:05:33 +08:00 committed by GitHub
parent bbc7746cef
commit 0c11acf6cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 0 deletions

View File

@ -29,6 +29,7 @@ class TopicEmbed < ActiveRecord::Base
end
def self.imported_from_html(url)
url = UrlHelper.normalized_encode(url)
I18n.with_locale(SiteSetting.default_locale) do
"\n<hr>\n<small>#{I18n.t("embed.imported_from", link: "<a href='#{url}'>#{url}</a>")}</small>\n"
end

View File

@ -457,5 +457,15 @@ RSpec.describe TopicEmbed do
I18n.locale = :de
expect(TopicEmbed.imported_from_html("some_url")).to eq(expected_html)
end
it "normalize_encodes the url" do
html =
TopicEmbed.imported_from_html(
'http://www.discourse.org/%23<%2Fa><img%20src%3Dx%20onerror%3Dalert("document.domain")%3B>',
)
expected_html =
"\n<hr>\n<small>This is a companion discussion topic for the original entry at <a href='http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E'>http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E</a></small>\n"
expect(html).to eq(expected_html)
end
end
end