SECURITY: Properly escape user input when generating email HTML (#455)
This commit is contained in:
David Taylor
GitHub
parent
bd093da9c9
commit
9788310906
|
|
@ -1,4 +1,3 @@
|
|||
3.1.999: afc2ee684de41601d6cecc46713d139760f176a6
|
||||
3.1.0.beta3: 10077ca904956005f9fa83c3d9fb124b59e8c47b
|
||||
2.9.0.beta13: b4c366b35d6f9778e54a878aa083348e8a45e86e
|
||||
2.9.0.beta9: 6f16ae10dc0306d6e1369e0d1414416d7e72141d
|
||||
|
|
|
|||
|
|
@ -429,8 +429,8 @@ after_initialize do
|
|||
event_name = event_node["data-name"] || post.topic.title
|
||||
event_node.replace <<~TXT
|
||||
<div style='border:1px solid #dedede'>
|
||||
<p><a href="#{Discourse.base_url}#{post.url}">#{event_name}</a></p>
|
||||
<p>#{dates}</p>
|
||||
<p><a href="#{Discourse.base_url}#{post.url}">#{CGI.escape_html(event_name)}</a></p>
|
||||
<p>#{CGI.escape_html(dates)}</p>
|
||||
</div>
|
||||
TXT
|
||||
end
|
||||
|
|
|
|||
|
|
@ -30,6 +30,9 @@ describe PrettyText do
|
|||
|
||||
context "when the event has a name" do
|
||||
let(:post_1) { create_post_with_event(user_1, 'name="Pancakes event"') }
|
||||
let(:post_2) do
|
||||
create_post_with_event(user_1, 'name="Pancakes event <a>with html chars</a>"')
|
||||
end
|
||||
|
||||
it "displays the event name" do
|
||||
cooked = PrettyText.cook(post_1.raw)
|
||||
|
|
@ -41,6 +44,17 @@ describe PrettyText do
|
|||
</div>
|
||||
HTML
|
||||
end
|
||||
|
||||
it "properly escapes title" do
|
||||
cooked = PrettyText.cook(post_2.raw)
|
||||
|
||||
expect(PrettyText.format_for_email(cooked, post_2)).to match_html(<<~HTML)
|
||||
<div style='border:1px solid #dedede'>
|
||||
<p><a href="#{Discourse.base_url}#{post_2.url}">Pancakes event <a>with html chars</a></a></p>
|
||||
<p>2018-06-05T18:39:50.000Z (UTC)</p>
|
||||
</div>
|
||||
HTML
|
||||
end
|
||||
end
|
||||
|
||||
context "when the event has an end date" do
|
||||
|
|
|
|||
Loading…
Reference in New Issue