mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 17:46:05 -05:00
Topic was not sanitizing <b> and <img> tags from titles
This commit is contained in:
parent
e8eb60fe78
commit
30aae8e793
2 changed files with 14 additions and 4 deletions
|
@ -71,7 +71,7 @@ class Topic < ActiveRecord::Base
|
|||
|
||||
before_validation do
|
||||
if title.present?
|
||||
self.title = sanitize(title)
|
||||
self.title = sanitize(title, tags: [], attributes: [])
|
||||
self.title.strip!
|
||||
end
|
||||
end
|
||||
|
|
|
@ -110,10 +110,20 @@ describe Topic do
|
|||
end
|
||||
|
||||
context 'html in title' do
|
||||
let(:topic) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
|
||||
let(:topic_bold) { Fabricate(:topic, title: "topic with <b>bold</b> text in its title" ) }
|
||||
let(:topic_image) { Fabricate(:topic, title: "topic with <img src='something'> image in its title" ) }
|
||||
let(:topic_script) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
|
||||
|
||||
it "should escape the HTML" do
|
||||
topic.title.should == "is my topic title"
|
||||
it "escapes script contents" do
|
||||
topic_script.title.should == "is my topic title"
|
||||
end
|
||||
|
||||
it "escapes bold contents" do
|
||||
topic_bold.title.should == "topic with bold text in its title"
|
||||
end
|
||||
|
||||
it "escapes bold contents" do
|
||||
topic_image.title.should == "topic with image in its title"
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue