SECURITY: Escape HTML in filename.

This commit is contained in:
Guo Xiang Tan 2016-08-11 11:27:12 +08:00
parent 8dab20e5b8
commit 11afb20772
2 changed files with 10 additions and 2 deletions

View file

@ -270,9 +270,9 @@ class CookedPostProcessor
informations = "#{original_width}x#{original_height}" informations = "#{original_width}x#{original_height}"
informations << " #{number_to_human_size(upload.filesize)}" if upload informations << " #{number_to_human_size(upload.filesize)}" if upload
a["title"] = img["title"] || filename a["title"] = CGI.escapeHTML(img["title"] || filename)
meta.add_child create_span_node("filename", img["title"] || filename) meta.add_child create_span_node("filename", a["title"])
meta.add_child create_span_node("informations", informations) meta.add_child create_span_node("informations", informations)
meta.add_child create_span_node("expand") meta.add_child create_span_node("expand")
end end

View file

@ -160,6 +160,14 @@ describe CookedPostProcessor do
expect(cpp).to be_dirty expect(cpp).to be_dirty
end end
it "should escape the filename" do
upload.update_attributes!(original_filename: "><img src=x onerror=alert('haha')>.png")
cpp.post_process_images
expect(cpp.html).to match_html "<p><div class=\"lightbox-wrapper\"><a data-download-href=\"/subfolder/uploads/default/#{upload.sha1}\" href=\"/subfolder/uploads/default/1/1234567890123456.jpg\" class=\"lightbox\" title=\"&amp;gt;&amp;lt;img src=x onerror=alert(&amp;#39;haha&amp;#39;)&amp;gt;.png\"><img src=\"/subfolder/uploads/default/optimized/1X/#{upload.sha1}_1_690x788.png\" width=\"690\" height=\"788\"><div class=\"meta\">
<span class=\"filename\">&amp;gt;&amp;lt;img src=x onerror=alert(&amp;#39;haha&amp;#39;)&amp;gt;.png</span><span class=\"informations\">1750x2000 1.21 KB</span><span class=\"expand\"></span>
</div></a></div></p>"
end
end end
context "with title" do context "with title" do