From 58bb3967e5b49c6e0bad5379ba559130afa2ccf2 Mon Sep 17 00:00:00 2001 From: Vinoth Kannan Date: Thu, 15 Mar 2018 19:57:55 +0530 Subject: [PATCH] SECURITY: Oneboxer should escape the URL before processing --- lib/oneboxer.rb | 2 ++ spec/components/oneboxer_spec.rb | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/lib/oneboxer.rb b/lib/oneboxer.rb index 935233ead73..b8394f16901 100644 --- a/lib/oneboxer.rb +++ b/lib/oneboxer.rb @@ -1,3 +1,4 @@ +require 'uri' require_dependency "onebox/discourse_onebox_sanitize_config" require_dependency 'final_destination' @@ -131,6 +132,7 @@ module Oneboxer end def self.onebox_raw(url, opts = {}) + url = URI(url).to_s local_onebox(url, opts) || external_onebox(url) rescue => e # no point warning here, just cause we have an issue oneboxing a url diff --git a/spec/components/oneboxer_spec.rb b/spec/components/oneboxer_spec.rb index 6ba23c3a950..601af265fc9 100644 --- a/spec/components/oneboxer_spec.rb +++ b/spec/components/oneboxer_spec.rb @@ -98,4 +98,13 @@ describe Oneboxer do end + context ".onebox_raw" do + it "should escape the onebox URL before processing" do + post = Fabricate(:post, raw: Discourse.base_url + "/new?'class=black") + cpp = CookedPostProcessor.new(post, invalidate_oneboxes: true) + cpp.post_process_oneboxes + expect(cpp.html).to eq("http://test.localhost/new?%27class=black") + end + end + end