SECURITY: Correctly escape 'text' email preview (stable)

2024-11-30 01:34:13 +08:00 · 2023-10-16 10:51:26 -04:00 · 2023-10-16 10:51:26 -04:00 · 157a321322
commit 157a321322
parent c9888163d7
2 changed files with 46 additions and 5 deletions
--- a/app/assets/javascripts/admin/addon/templates/email-preview-digest.hbs
+++ b/app/assets/javascripts/admin/addon/templates/email-preview-digest.hbs
@ -21,13 +21,15 @@
        {{#if this.showHtml}}
          <span>{{i18n "admin.email.html"}}</span>
          |
-          <a href {{on "click" this.toggleShowHtml}}>
+          <a href {{on "click" this.toggleShowHtml}} class="show-text-link">
            {{i18n "admin.email.text"}}
          </a>
        {{else}}
-          <a href {{on "click" this.toggleShowHtml}}>{{i18n
-              "admin.email.html"
-            }}</a>
+          <a
+            href
+            {{on "click" this.toggleShowHtml}}
+            class="show-html-link"
+          >{{i18n "admin.email.html"}}</a>
          |
          <span>{{i18n "admin.email.text"}}</span>
        {{/if}}
@ -77,7 +79,7 @@
          ></iframe>
        {{/if}}
      {{else}}
-        <pre>{{html-safe this.model.text_content}}</pre>
+        <pre>{{this.model.text_content}}</pre>
      {{/if}}
    </div>
  </div>
--- a/app/assets/javascripts/discourse/tests/acceptance/admin-email-preview-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/admin-email-preview-test.js
@ -0,0 +1,39 @@
+import { acceptance, query } from "discourse/tests/helpers/qunit-helpers";
+import { click, visit, waitUntil } from "@ember/test-helpers";
+import { test } from "qunit";
+
+acceptance("Admin - email-preview", function (needs) {
+  needs.user();
+  needs.pretender((server, helper) => {
+    server.get("/admin/email/preview-digest.json", () =>
+      helper.response(200, {
+        html_content: "<span>Hello world</span>",
+        text_content: "<span>Not actually html</span>",
+      })
+    );
+  });
+
+  test("preview rendering", async function (assert) {
+    await visit("/admin/email/preview-digest");
+    const iframe = query(".preview-output iframe");
+
+    // Rendered as a separate document, so Ember's built-in waiters don't work properly
+    await waitUntil(() => iframe.contentWindow.document.body);
+
+    const iframeBody = iframe.contentWindow.document.body;
+
+    assert.strictEqual(
+      iframeBody.querySelector("span").innerText,
+      "Hello world",
+      "html content is rendered inside iframe"
+    );
+
+    await click("a.show-text-link");
+    assert
+      .dom(".preview-output pre")
+      .hasText(
+        "<span>Not actually html</span>",
+        "text content is escaped correctly"
+      );
+  });
+});