MetuFSS
/
metu.life
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Escape URL parts on formatting local status (#4975)

Browse Source
master
unarist 7 years ago committed by Eugen Rochko
parent c8969dca35
commit ec36df97c4
2 changed files with 17 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      app/lib/formatter.rb
  2. 16
      spec/lib/formatter_spec.rb

2
app/lib/formatter.rb
Unescape View File

@ -137,7 +137,7 @@ class Formatter
suffix = url[prefix.length + 30..-1] suffix = url[prefix.length + 30..-1]
cutoff = url[prefix.length..-1].length > 30 cutoff = url[prefix.length..-1].length > 30
"<span class=\"invisible\">#{prefix}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{text}</span><span class=\"invisible\">#{suffix}</span>" "<span class=\"invisible\">#{encode(prefix)}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{encode(text)}</span><span class=\"invisible\">#{encode(suffix)}</span>"
end end
def hashtag_html(tag) def hashtag_html(tag)

16
spec/lib/formatter_spec.rb
Unescape View File

@ -121,6 +121,22 @@ RSpec.describe Formatter do
end end
end end
context 'contains unsafe URL (XSS attack, visible part)' do
let(:text) { %q{http://example.com/b<del>b</del>} }
it 'has escaped HTML' do
is_expected.to include '&lt;del&gt;b&lt;/del&gt;'
end
end
context 'contains unsafe URL (XSS attack, invisible part)' do
let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} }
it 'has escaped HTML' do
is_expected.to include '&lt;script&gt;alert(&quot;Hello&quot;)&lt;/script&gt;'
end
end
context 'contains HTML (script tag)' do context 'contains HTML (script tag)' do
let(:text) { '<script>alert("Hello")</script>' } let(:text) { '<script>alert("Hello")</script>' }

Write Preview
Loading…
Cancel
Save