SECURITY: Prefer Loofah for processing cooked HTML

This commit is contained in:
Bianca Nenciu 2021-02-24 17:14:43 +02:00 committed by Bianca Nenciu
parent daf34ae7e2
commit 0c8d658ba8
No known key found for this signature in database
GPG Key ID: 07E83B117A6B844D
2 changed files with 9 additions and 1 deletions

View File

@ -22,7 +22,7 @@ class CookedPostProcessor
@cooking_options = @cooking_options.symbolize_keys @cooking_options = @cooking_options.symbolize_keys
cooked = post.cook(post.raw, @cooking_options) cooked = post.cook(post.raw, @cooking_options)
@doc = Nokogiri::HTML5::fragment(cooked) @doc = Loofah.fragment(cooked)
@has_oneboxes = post.post_analyzer.found_oneboxes? @has_oneboxes = post.post_analyzer.found_oneboxes?
@size_cache = {} @size_cache = {}

View File

@ -1809,4 +1809,12 @@ describe CookedPostProcessor do
end end
end end
context "#html" do
it "escapes attributes" do
post = Fabricate(:post, raw: '<img alt="<something>">')
expect(post.cook(post.raw)).to eq('<p><img alt="&lt;something&gt;"></p>')
expect(CookedPostProcessor.new(post).html).to eq('<p><img alt="&lt;something&gt;"></p>')
end
end
end end