diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb index f4249cecde9..dc041acfee8 100644 --- a/lib/cooked_post_processor.rb +++ b/lib/cooked_post_processor.rb @@ -269,9 +269,9 @@ class CookedPostProcessor informations = "#{original_width}x#{original_height}" informations << " #{number_to_human_size(upload.filesize)}" if upload - a["title"] = img["title"] || filename + a["title"] = CGI.escapeHTML(img["title"] || filename) - meta.add_child create_span_node("filename", img["title"] || filename) + meta.add_child create_span_node("filename", a["title"]) meta.add_child create_span_node("informations", informations) meta.add_child create_span_node("expand") end diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb index 7d5a5f0b1d7..74a1b0e850e 100644 --- a/spec/components/cooked_post_processor_spec.rb +++ b/spec/components/cooked_post_processor_spec.rb @@ -160,6 +160,14 @@ describe CookedPostProcessor do expect(cpp).to be_dirty end + it "should escape the filename" do + upload.update_attributes!(original_filename: ">.png") + cpp.post_process_images + expect(cpp.html).to match_html "

+&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png1750x2000 1.21 KB +

" + end + end context "with title" do