mirror of
https://github.com/discourse/discourse.git
synced 2024-12-03 19:33:38 +08:00
SECURITY: Encode embed url (#21134)
The embed_url in "This is a companion discussion..." could be used for XSS. Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
This commit is contained in:
parent
bbc7746cef
commit
0c11acf6cf
|
@ -29,6 +29,7 @@ class TopicEmbed < ActiveRecord::Base
|
|||
end
|
||||
|
||||
def self.imported_from_html(url)
|
||||
url = UrlHelper.normalized_encode(url)
|
||||
I18n.with_locale(SiteSetting.default_locale) do
|
||||
"\n<hr>\n<small>#{I18n.t("embed.imported_from", link: "<a href='#{url}'>#{url}</a>")}</small>\n"
|
||||
end
|
||||
|
|
|
@ -457,5 +457,15 @@ RSpec.describe TopicEmbed do
|
|||
I18n.locale = :de
|
||||
expect(TopicEmbed.imported_from_html("some_url")).to eq(expected_html)
|
||||
end
|
||||
|
||||
it "normalize_encodes the url" do
|
||||
html =
|
||||
TopicEmbed.imported_from_html(
|
||||
'http://www.discourse.org/%23<%2Fa><img%20src%3Dx%20onerror%3Dalert("document.domain")%3B>',
|
||||
)
|
||||
expected_html =
|
||||
"\n<hr>\n<small>This is a companion discussion topic for the original entry at <a href='http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E'>http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E</a></small>\n"
|
||||
expect(html).to eq(expected_html)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user