mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 09:36:19 -05:00
SECURITY: Escape HTML in filename.
This commit is contained in:
parent
8dab20e5b8
commit
11afb20772
2 changed files with 10 additions and 2 deletions
|
@ -270,9 +270,9 @@ class CookedPostProcessor
|
||||||
informations = "#{original_width}x#{original_height}"
|
informations = "#{original_width}x#{original_height}"
|
||||||
informations << " #{number_to_human_size(upload.filesize)}" if upload
|
informations << " #{number_to_human_size(upload.filesize)}" if upload
|
||||||
|
|
||||||
a["title"] = img["title"] || filename
|
a["title"] = CGI.escapeHTML(img["title"] || filename)
|
||||||
|
|
||||||
meta.add_child create_span_node("filename", img["title"] || filename)
|
meta.add_child create_span_node("filename", a["title"])
|
||||||
meta.add_child create_span_node("informations", informations)
|
meta.add_child create_span_node("informations", informations)
|
||||||
meta.add_child create_span_node("expand")
|
meta.add_child create_span_node("expand")
|
||||||
end
|
end
|
||||||
|
|
|
@ -160,6 +160,14 @@ describe CookedPostProcessor do
|
||||||
expect(cpp).to be_dirty
|
expect(cpp).to be_dirty
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "should escape the filename" do
|
||||||
|
upload.update_attributes!(original_filename: "><img src=x onerror=alert('haha')>.png")
|
||||||
|
cpp.post_process_images
|
||||||
|
expect(cpp.html).to match_html "<p><div class=\"lightbox-wrapper\"><a data-download-href=\"/subfolder/uploads/default/#{upload.sha1}\" href=\"/subfolder/uploads/default/1/1234567890123456.jpg\" class=\"lightbox\" title=\"&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png\"><img src=\"/subfolder/uploads/default/optimized/1X/#{upload.sha1}_1_690x788.png\" width=\"690\" height=\"788\"><div class=\"meta\">
|
||||||
|
<span class=\"filename\">&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png</span><span class=\"informations\">1750x2000 1.21 KB</span><span class=\"expand\"></span>
|
||||||
|
</div></a></div></p>"
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context "with title" do
|
context "with title" do
|
||||||
|
|
Loading…
Reference in a new issue