SECURITY: category badges should HTML escape names

This commit is contained in:
Sam 2018-06-28 18:14:55 +10:00
parent ec3e6a81a4
commit db14e10943
3 changed files with 22 additions and 4 deletions

View File

@ -217,7 +217,7 @@ class Category < ActiveRecord::Base
@@cache ||= LruRedux::ThreadSafeCache.new(1000) @@cache ||= LruRedux::ThreadSafeCache.new(1000)
@@cache.getset(self.description) do @@cache.getset(self.description) do
Nokogiri::HTML.fragment(self.description).text.strip Nokogiri::HTML.fragment(self.description).text.strip.html_safe
end end
end end

View File

@ -79,7 +79,7 @@ module CategoryBadge
# category name # category name
class_names = 'badge-category clear-badge' class_names = 'badge-category clear-badge'
description = category.description_text ? "title='#{category.description_text.html_safe}'" : '' description = category.description_text ? "title='#{category.description_text}'" : ''
category_url = opts[:absolute_url] ? "#{Discourse.base_url_no_prefix}#{category.url}" : category.url category_url = opts[:absolute_url] ? "#{Discourse.base_url_no_prefix}#{category.url}" : category.url
extra_span_classes = extra_span_classes =
@ -102,7 +102,10 @@ module CategoryBadge
result << "<span style='#{extra_span_classes}' data-drop-close='true' class='#{class_names}' result << "<span style='#{extra_span_classes}' data-drop-close='true' class='#{class_names}'
#{description}>" #{description}>"
result << category.name.html_safe << '</span>' result << ERB::Util.html_escape(category.name) << '</span>'
"<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
result = "<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
result.html_safe
end end
end end

View File

@ -0,0 +1,15 @@
require 'rails_helper'
require 'category_badge'
describe CategoryBadge do
it "escapes HTML in category names / descriptions" do
c = Fabricate(:category, name: '<b>name</b>', description: '<b>title</b>')
html = CategoryBadge.html_for(c)
expect(html).not_to include("<b>title</b>")
expect(html).not_to include("<b>name</b>")
expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
expect(html).to include("title='title'")
end
end