diff --git a/lib/onebox/engine/github_issue_onebox.rb b/lib/onebox/engine/github_issue_onebox.rb
index 510fc0ca3e2..ef09cac8f9b 100644
--- a/lib/onebox/engine/github_issue_onebox.rb
+++ b/lib/onebox/engine/github_issue_onebox.rb
@@ -36,7 +36,7 @@ module Onebox
body, excerpt = compute_body(raw["body"])
ulink = URI(link)
- labels = raw["labels"].map { |l| { name: Emoji.codes_to_img(l["name"]) } }
+ labels = raw["labels"].map { |l| { name: Emoji.codes_to_img(CGI.escapeHTML(l["name"])) } }
{
link: @url,
diff --git a/lib/onebox/templates/discourse_category_onebox.mustache b/lib/onebox/templates/discourse_category_onebox.mustache
index fb8ddd3300c..24c9fcb3179 100644
--- a/lib/onebox/templates/discourse_category_onebox.mustache
+++ b/lib/onebox/templates/discourse_category_onebox.mustache
@@ -6,15 +6,15 @@
{{#description}}
- {{{description}}}
+ {{description}}
{{/description}}
@@ -23,8 +23,8 @@
{{#subcategories}}
-
- {{{name}}}
+
+ {{name}}
{{/subcategories}}
diff --git a/plugins/chat/lib/onebox/templates/discourse_chat.mustache b/plugins/chat/lib/onebox/templates/discourse_chat.mustache
index c0fdf1ff9d4..50d1284abc1 100644
--- a/plugins/chat/lib/onebox/templates/discourse_chat.mustache
+++ b/plugins/chat/lib/onebox/templates/discourse_chat.mustache
@@ -8,7 +8,7 @@
{{/is_category}}
- {{{channel_name}}}
+ {{channel_name}}
{{#description}}
diff --git a/spec/fixtures/onebox/github_issue_onebox.response b/spec/fixtures/onebox/github_issue_onebox.response
new file mode 100644
index 00000000000..29d16c20f23
--- /dev/null
+++ b/spec/fixtures/onebox/github_issue_onebox.response
@@ -0,0 +1,73 @@
+{
+ "url": "https://api.github.com/repos/romanrizzi/avalancha-parser/issues/2",
+ "repository_url": "https://api.github.com/repos/romanrizzi/avalancha-parser",
+ "labels_url": "https://api.github.com/repos/romanrizzi/avalancha-parser/issues/2/labels{/name}",
+ "comments_url": "https://api.github.com/repos/romanrizzi/avalancha-parser/issues/2/comments",
+ "events_url": "https://api.github.com/repos/romanrizzi/avalancha-parser/issues/2/events",
+ "html_url": "https://github.com/romanrizzi/avalancha-parser/issues/2",
+ "id": 1957276127,
+ "node_id": "I_kwDOEdKQe850qanf",
+ "number": 2,
+ "title": "Test issue #2",
+ "user": {
+ "login": "romanrizzi",
+ "id": 5025816,
+ "node_id": "MDQ6VXNlcjUwMjU4MTY=",
+ "avatar_url": "https://avatars.githubusercontent.com/u/5025816?v=4",
+ "gravatar_id": "",
+ "url": "https://api.github.com/users/romanrizzi",
+ "html_url": "https://github.com/romanrizzi",
+ "followers_url": "https://api.github.com/users/romanrizzi/followers",
+ "following_url": "https://api.github.com/users/romanrizzi/following{/other_user}",
+ "gists_url": "https://api.github.com/users/romanrizzi/gists{/gist_id}",
+ "starred_url": "https://api.github.com/users/romanrizzi/starred{/owner}{/repo}",
+ "subscriptions_url": "https://api.github.com/users/romanrizzi/subscriptions",
+ "organizations_url": "https://api.github.com/users/romanrizzi/orgs",
+ "repos_url": "https://api.github.com/users/romanrizzi/repos",
+ "events_url": "https://api.github.com/users/romanrizzi/events{/privacy}",
+ "received_events_url": "https://api.github.com/users/romanrizzi/received_events",
+ "type": "User",
+ "site_admin": false
+ },
+ "labels": [
+ {
+ "id": 6119137046,
+ "node_id": "LA_kwDOEdKQe88AAAABbLqfFg",
+ "url": "https://api.github.com/repos/romanrizzi/avalancha-parser/labels/Test%20:+1:%20%3Cstyle%3Ebody%20%7Bdisplay:%20none%7D%3C/style%3E",
+ "name": "Test :+1: ",
+ "color": "0E8A16",
+ "default": false,
+ "description": ""
+ }
+ ],
+ "state": "open",
+ "locked": false,
+ "assignee": null,
+ "assignees": [
+
+ ],
+ "milestone": null,
+ "comments": 0,
+ "created_at": "2023-10-23T14:13:07Z",
+ "updated_at": "2023-10-23T14:13:07Z",
+ "closed_at": null,
+ "author_association": "OWNER",
+ "active_lock_reason": null,
+ "body": "test",
+ "closed_by": null,
+ "reactions": {
+ "url": "https://api.github.com/repos/romanrizzi/avalancha-parser/issues/2/reactions",
+ "total_count": 0,
+ "+1": 0,
+ "-1": 0,
+ "laugh": 0,
+ "hooray": 0,
+ "confused": 0,
+ "heart": 0,
+ "rocket": 0,
+ "eyes": 0
+ },
+ "timeline_url": "https://api.github.com/repos/romanrizzi/avalancha-parser/issues/2/timeline",
+ "performed_via_github_app": null,
+ "state_reason": null
+}
diff --git a/spec/lib/onebox/engine/github_issue_onebox_spec.rb b/spec/lib/onebox/engine/github_issue_onebox_spec.rb
new file mode 100644
index 00000000000..d2507e8f9bd
--- /dev/null
+++ b/spec/lib/onebox/engine/github_issue_onebox_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+RSpec.describe Onebox::Engine::GithubIssueOnebox do
+ before do
+ @link = "https://github.com/discourse/discourse/issues/1"
+
+ stub_request(:get, "https://api.github.com/repos/discourse/discourse/issues/1").to_return(
+ status: 200,
+ body: onebox_response("github_issue_onebox"),
+ )
+ end
+
+ include_context "with engines"
+ it_behaves_like "an engine"
+
+ describe "#to_html" do
+ it "sanitizes the input and transform the emoji into an img tag" do
+ sanitized_label =
+ 'Test 
<style>body {display: none}</style>'
+
+ expect(html).to include(sanitized_label)
+ end
+ end
+end