mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 16:02:46 +08:00
SECURITY: Oneboxer should escape the URL before processing
This commit is contained in:
parent
c589564f6a
commit
58bb3967e5
|
@ -1,3 +1,4 @@
|
|||
require 'uri'
|
||||
require_dependency "onebox/discourse_onebox_sanitize_config"
|
||||
require_dependency 'final_destination'
|
||||
|
||||
|
@ -131,6 +132,7 @@ module Oneboxer
|
|||
end
|
||||
|
||||
def self.onebox_raw(url, opts = {})
|
||||
url = URI(url).to_s
|
||||
local_onebox(url, opts) || external_onebox(url)
|
||||
rescue => e
|
||||
# no point warning here, just cause we have an issue oneboxing a url
|
||||
|
|
|
@ -98,4 +98,13 @@ describe Oneboxer do
|
|||
|
||||
end
|
||||
|
||||
context ".onebox_raw" do
|
||||
it "should escape the onebox URL before processing" do
|
||||
post = Fabricate(:post, raw: Discourse.base_url + "/new?'class=black")
|
||||
cpp = CookedPostProcessor.new(post, invalidate_oneboxes: true)
|
||||
cpp.post_process_oneboxes
|
||||
expect(cpp.html).to eq("<a href=\"#{Discourse.base_url}/new?%27class=black\">http://test.localhost/new?%27class=black</a>")
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user