mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 23:16:03 +08:00
SECURITY: Escape HTML in filename.
This commit is contained in:
parent
515024a0ac
commit
adb1e2cbc8
|
@ -269,9 +269,9 @@ class CookedPostProcessor
|
|||
informations = "#{original_width}x#{original_height}"
|
||||
informations << " #{number_to_human_size(upload.filesize)}" if upload
|
||||
|
||||
a["title"] = img["title"] || filename
|
||||
a["title"] = CGI.escapeHTML(img["title"] || filename)
|
||||
|
||||
meta.add_child create_span_node("filename", img["title"] || filename)
|
||||
meta.add_child create_span_node("filename", a["title"])
|
||||
meta.add_child create_span_node("informations", informations)
|
||||
meta.add_child create_span_node("expand")
|
||||
end
|
||||
|
|
|
@ -160,6 +160,14 @@ describe CookedPostProcessor do
|
|||
expect(cpp).to be_dirty
|
||||
end
|
||||
|
||||
it "should escape the filename" do
|
||||
upload.update_attributes!(original_filename: "><img src=x onerror=alert('haha')>.png")
|
||||
cpp.post_process_images
|
||||
expect(cpp.html).to match_html "<p><div class=\"lightbox-wrapper\"><a data-download-href=\"/subfolder/uploads/default/#{upload.sha1}\" href=\"/subfolder/uploads/default/1/1234567890123456.jpg\" class=\"lightbox\" title=\"&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png\"><img src=\"/subfolder/uploads/default/optimized/1X/#{upload.sha1}_1_690x788.png\" width=\"690\" height=\"788\"><div class=\"meta\">
|
||||
<span class=\"filename\">&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png</span><span class=\"informations\">1750x2000 1.21 KB</span><span class=\"expand\"></span>
|
||||
</div></a></div></p>"
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context "with title" do
|
||||
|
|
Loading…
Reference in New Issue
Block a user