diff --git a/app/models/topic_embed.rb b/app/models/topic_embed.rb index 3b9545bf815..98754b5fe73 100644 --- a/app/models/topic_embed.rb +++ b/app/models/topic_embed.rb @@ -29,6 +29,7 @@ class TopicEmbed < ActiveRecord::Base end def self.imported_from_html(url) + url = UrlHelper.normalized_encode(url) I18n.with_locale(SiteSetting.default_locale) do "\n
\n#{I18n.t("embed.imported_from", link: "#{url}")}\n" end diff --git a/spec/models/topic_embed_spec.rb b/spec/models/topic_embed_spec.rb index a15e4b13ab5..82ed4957e66 100644 --- a/spec/models/topic_embed_spec.rb +++ b/spec/models/topic_embed_spec.rb @@ -457,5 +457,15 @@ RSpec.describe TopicEmbed do I18n.locale = :de expect(TopicEmbed.imported_from_html("some_url")).to eq(expected_html) end + + it "normalize_encodes the url" do + html = + TopicEmbed.imported_from_html( + 'http://www.discourse.org/%23<%2Fa>', + ) + expected_html = + "\n
\nThis is a companion discussion topic for the original entry at http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E\n" + expect(html).to eq(expected_html) + end end end