mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 09:42:07 +08:00
SECURITY: Prefer Loofah for processing cooked HTML
This commit is contained in:
parent
daf34ae7e2
commit
0c8d658ba8
|
@ -22,7 +22,7 @@ class CookedPostProcessor
|
||||||
@cooking_options = @cooking_options.symbolize_keys
|
@cooking_options = @cooking_options.symbolize_keys
|
||||||
|
|
||||||
cooked = post.cook(post.raw, @cooking_options)
|
cooked = post.cook(post.raw, @cooking_options)
|
||||||
@doc = Nokogiri::HTML5::fragment(cooked)
|
@doc = Loofah.fragment(cooked)
|
||||||
@has_oneboxes = post.post_analyzer.found_oneboxes?
|
@has_oneboxes = post.post_analyzer.found_oneboxes?
|
||||||
@size_cache = {}
|
@size_cache = {}
|
||||||
|
|
||||||
|
|
|
@ -1809,4 +1809,12 @@ describe CookedPostProcessor do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context "#html" do
|
||||||
|
it "escapes attributes" do
|
||||||
|
post = Fabricate(:post, raw: '<img alt="<something>">')
|
||||||
|
expect(post.cook(post.raw)).to eq('<p><img alt="<something>"></p>')
|
||||||
|
expect(CookedPostProcessor.new(post).html).to eq('<p><img alt="<something>"></p>')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue
Block a user