From adb1e2cbc8b18a0ada634f945fd5ac48b81fd8fa Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Thu, 11 Aug 2016 11:27:12 +0800 Subject: [PATCH] SECURITY: Escape HTML in filename. --- lib/cooked_post_processor.rb | 4 ++-- spec/components/cooked_post_processor_spec.rb | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb index f4249cecde9..dc041acfee8 100644 --- a/lib/cooked_post_processor.rb +++ b/lib/cooked_post_processor.rb @@ -269,9 +269,9 @@ class CookedPostProcessor informations = "#{original_width}x#{original_height}" informations << " #{number_to_human_size(upload.filesize)}" if upload - a["title"] = img["title"] || filename + a["title"] = CGI.escapeHTML(img["title"] || filename) - meta.add_child create_span_node("filename", img["title"] || filename) + meta.add_child create_span_node("filename", a["title"]) meta.add_child create_span_node("informations", informations) meta.add_child create_span_node("expand") end diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb index 7d5a5f0b1d7..74a1b0e850e 100644 --- a/spec/components/cooked_post_processor_spec.rb +++ b/spec/components/cooked_post_processor_spec.rb @@ -160,6 +160,14 @@ describe CookedPostProcessor do expect(cpp).to be_dirty end + it "should escape the filename" do + upload.update_attributes!(original_filename: ">.png") + cpp.post_process_images + expect(cpp.html).to match_html "

+&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png1750x2000 1.21 KB +

" + end + end context "with title" do