From 0c11acf6cf12fb0a564cf3e4022ab0aa207a0046 Mon Sep 17 00:00:00 2001
From: Ted Johansson <ted@discourse.org>
Date: Tue, 18 Apr 2023 15:05:33 +0800
Subject: [PATCH] SECURITY: Encode embed url (#21134)

The embed_url in "This is a companion discussion..." could be used for
XSS.

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
---
 app/models/topic_embed.rb       |  1 +
 spec/models/topic_embed_spec.rb | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/app/models/topic_embed.rb b/app/models/topic_embed.rb
index 3b9545bf815..98754b5fe73 100644
--- a/app/models/topic_embed.rb
+++ b/app/models/topic_embed.rb
@@ -29,6 +29,7 @@ class TopicEmbed < ActiveRecord::Base
   end
 
   def self.imported_from_html(url)
+    url = UrlHelper.normalized_encode(url)
     I18n.with_locale(SiteSetting.default_locale) do
       "\n<hr>\n<small>#{I18n.t("embed.imported_from", link: "<a href='#{url}'>#{url}</a>")}</small>\n"
     end
diff --git a/spec/models/topic_embed_spec.rb b/spec/models/topic_embed_spec.rb
index a15e4b13ab5..82ed4957e66 100644
--- a/spec/models/topic_embed_spec.rb
+++ b/spec/models/topic_embed_spec.rb
@@ -457,5 +457,15 @@ RSpec.describe TopicEmbed do
       I18n.locale = :de
       expect(TopicEmbed.imported_from_html("some_url")).to eq(expected_html)
     end
+
+    it "normalize_encodes the url" do
+      html =
+        TopicEmbed.imported_from_html(
+          'http://www.discourse.org/%23<%2Fa><img%20src%3Dx%20onerror%3Dalert("document.domain")%3B>',
+        )
+      expected_html =
+        "\n<hr>\n<small>This is a companion discussion topic for the original entry at <a href='http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E'>http://www.discourse.org/%23%3C/a%3E%3Cimg%20src=x%20onerror=alert(%22document.domain%22);%3E</a></small>\n"
+      expect(html).to eq(expected_html)
+    end
   end
 end