SECURITY: Oneboxer should escape the URL before processing

This commit is contained in:
Vinoth Kannan 2018-03-15 19:57:55 +05:30
parent c589564f6a
commit 58bb3967e5
2 changed files with 11 additions and 0 deletions

View File

@ -1,3 +1,4 @@
require 'uri'
require_dependency "onebox/discourse_onebox_sanitize_config"
require_dependency 'final_destination'
@ -131,6 +132,7 @@ module Oneboxer
end
def self.onebox_raw(url, opts = {})
url = URI(url).to_s
local_onebox(url, opts) || external_onebox(url)
rescue => e
# no point warning here, just cause we have an issue oneboxing a url

View File

@ -98,4 +98,13 @@ describe Oneboxer do
end
context ".onebox_raw" do
it "should escape the onebox URL before processing" do
post = Fabricate(:post, raw: Discourse.base_url + "/new?'class=black")
cpp = CookedPostProcessor.new(post, invalidate_oneboxes: true)
cpp.post_process_oneboxes
expect(cpp.html).to eq("<a href=\"#{Discourse.base_url}/new?%27class=black\">http://test.localhost/new?%27class=black</a>")
end
end
end