github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-30 05:43:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Correctly escape 'text' email preview (stable)

Browse Source
This commit is contained in:
David Taylor 2023-10-16 10:51:26 -04:00 committed by Penar Musaraj
parent c9888163d7
commit 157a321322
No known key found for this signature in database
GPG Key ID: E390435D881FF0F7
2 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/assets/javascripts/admin/addon/templates/email-preview-digest.hbs
View File

@ -21,13 +21,15 @@
{{#if this.showHtml}} {{#if this.showHtml}}
<span>{{i18n "admin.email.html"}}</span> <span>{{i18n "admin.email.html"}}</span>
| |
<a href {{on "click" this.toggleShowHtml}}> <a href {{on "click" this.toggleShowHtml}} class="show-text-link">
{{i18n "admin.email.text"}} {{i18n "admin.email.text"}}
</a> </a>
{{else}} {{else}}
<a href {{on "click" this.toggleShowHtml}}>{{i18n <a
"admin.email.html" href
}}</a> {{on "click" this.toggleShowHtml}}
class="show-html-link"
>{{i18n "admin.email.html"}}</a>
| |
<span>{{i18n "admin.email.text"}}</span> <span>{{i18n "admin.email.text"}}</span>
{{/if}} {{/if}}
@ -77,7 +79,7 @@
></iframe> ></iframe>
{{/if}} {{/if}}
{{else}} {{else}}
<pre>{{html-safe this.model.text_content}}</pre> <pre>{{this.model.text_content}}</pre>
{{/if}} {{/if}}
</div> </div>
</div> </div>

39
app/assets/javascripts/discourse/tests/acceptance/admin-email-preview-test.js Normal file
View File

@ -0,0 +1,39 @@
import { acceptance, query } from "discourse/tests/helpers/qunit-helpers";
import { click, visit, waitUntil } from "@ember/test-helpers";
import { test } from "qunit";
acceptance("Admin - email-preview", function (needs) {
needs.user();
needs.pretender((server, helper) => {
server.get("/admin/email/preview-digest.json", () =>
helper.response(200, {
html_content: "<span>Hello world</span>",
text_content: "<span>Not actually html</span>",
})
);
});
test("preview rendering", async function (assert) {
await visit("/admin/email/preview-digest");
const iframe = query(".preview-output iframe");
// Rendered as a separate document, so Ember's built-in waiters don't work properly
await waitUntil(() => iframe.contentWindow.document.body);
const iframeBody = iframe.contentWindow.document.body;
assert.strictEqual(
iframeBody.querySelector("span").innerText,
"Hello world",
"html content is rendered inside iframe"
);
await click("a.show-text-link");
assert
.dom(".preview-output pre")
.hasText(
"<span>Not actually html</span>",
"text content is escaped correctly"
);
});
});