mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 09:42:02 +08:00
SECURITY: XSS when oneboxing user profile location field
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
This commit is contained in:
parent
c3bbf643b1
commit
3debdc8131
|
@ -245,7 +245,7 @@ module Oneboxer
|
|||
avatar: PrettyText.avatar_img(user.avatar_template, "extra_large"),
|
||||
name: name,
|
||||
bio: user.user_profile.bio_excerpt(230),
|
||||
location: user.user_profile.location,
|
||||
location: Onebox::Helpers.sanitize(user.user_profile.location),
|
||||
joined: I18n.t('joined'),
|
||||
created_at: user.created_at.strftime(I18n.t('datetime_formats.formats.date_only')),
|
||||
website: user.user_profile.website,
|
||||
|
|
|
@ -113,6 +113,25 @@ describe Oneboxer do
|
|||
expect(preview("#{path}.mov")).to include("<video ")
|
||||
end
|
||||
|
||||
it "strips HTML from user profile location" do
|
||||
user = Fabricate(:user)
|
||||
profile = user.reload.user_profile
|
||||
|
||||
expect(preview("/u/#{user.username}")).not_to include("<span class=\"location\">")
|
||||
|
||||
profile.update!(
|
||||
location: "<img src=x onerror=alert(document.domain)>",
|
||||
)
|
||||
|
||||
expect(preview("/u/#{user.username}")).to include("<span class=\"location\">")
|
||||
expect(preview("/u/#{user.username}")).not_to include("<img src=x")
|
||||
|
||||
profile.update!(
|
||||
location: "Thunderland",
|
||||
)
|
||||
|
||||
expect(preview("/u/#{user.username}")).to include("Thunderland")
|
||||
end
|
||||
end
|
||||
|
||||
context ".onebox_raw" do
|
||||
|
@ -140,5 +159,4 @@ describe Oneboxer do
|
|||
|
||||
expect(Oneboxer.external_onebox(url)[:onebox]).to be_present
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user