codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2025-02-25 07:54:11 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Topic was not sanitizing <b> and <img> tags from titles

Browse source
This commit is contained in:
Robin Ward 2013-03-06 11:36:42 -05:00
parent e8eb60fe78
commit 30aae8e793
2 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/models/topic.rb
View file

@ -71,7 +71,7 @@ class Topic < ActiveRecord::Base
before_validation do before_validation do
if title.present? if title.present?
self.title = sanitize(title) self.title = sanitize(title, tags: [], attributes: [])
self.title.strip! self.title.strip!
end end
end end

16
spec/models/topic_spec.rb
View file

@ -110,10 +110,20 @@ describe Topic do
end end
context 'html in title' do context 'html in title' do
let(:topic) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) } let(:topic_bold) { Fabricate(:topic, title: "topic with <b>bold</b> text in its title" ) }
let(:topic_image) { Fabricate(:topic, title: "topic with <img src='something'> image in its title" ) }
let(:topic_script) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
it "should escape the HTML" do it "escapes script contents" do
topic.title.should == "is my topic title" topic_script.title.should == "is my topic title"
end
it "escapes bold contents" do
topic_bold.title.should == "topic with bold text in its title"
end
it "escapes bold contents" do
topic_image.title.should == "topic with image in its title"
end end
end end