mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 09:42:07 +08:00
SECURITY: category badges should HTML escape names
This commit is contained in:
parent
ec3e6a81a4
commit
db14e10943
|
@ -217,7 +217,7 @@ class Category < ActiveRecord::Base
|
|||
|
||||
@@cache ||= LruRedux::ThreadSafeCache.new(1000)
|
||||
@@cache.getset(self.description) do
|
||||
Nokogiri::HTML.fragment(self.description).text.strip
|
||||
Nokogiri::HTML.fragment(self.description).text.strip.html_safe
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -79,7 +79,7 @@ module CategoryBadge
|
|||
|
||||
# category name
|
||||
class_names = 'badge-category clear-badge'
|
||||
description = category.description_text ? "title='#{category.description_text.html_safe}'" : ''
|
||||
description = category.description_text ? "title='#{category.description_text}'" : ''
|
||||
category_url = opts[:absolute_url] ? "#{Discourse.base_url_no_prefix}#{category.url}" : category.url
|
||||
|
||||
extra_span_classes =
|
||||
|
@ -102,7 +102,10 @@ module CategoryBadge
|
|||
result << "<span style='#{extra_span_classes}' data-drop-close='true' class='#{class_names}'
|
||||
#{description}>"
|
||||
|
||||
result << category.name.html_safe << '</span>'
|
||||
"<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
|
||||
result << ERB::Util.html_escape(category.name) << '</span>'
|
||||
|
||||
result = "<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
|
||||
|
||||
result.html_safe
|
||||
end
|
||||
end
|
||||
|
|
15
spec/components/category_badge_spec.rb
Normal file
15
spec/components/category_badge_spec.rb
Normal file
|
@ -0,0 +1,15 @@
|
|||
require 'rails_helper'
|
||||
require 'category_badge'
|
||||
|
||||
describe CategoryBadge do
|
||||
it "escapes HTML in category names / descriptions" do
|
||||
c = Fabricate(:category, name: '<b>name</b>', description: '<b>title</b>')
|
||||
|
||||
html = CategoryBadge.html_for(c)
|
||||
|
||||
expect(html).not_to include("<b>title</b>")
|
||||
expect(html).not_to include("<b>name</b>")
|
||||
expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
|
||||
expect(html).to include("title='title'")
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user