diff options
| author | unarist <m.unarist@gmail.com> | 2017-09-17 04:33:52 +0900 |
|---|---|---|
| committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-09-16 21:33:52 +0200 |
| commit | ec36df97c4ea3da4bc177a96050c54cf8f35ba25 (patch) | |
| tree | 93e6e8172fc06de2e43df6c0bbf5c2788a576e61 | |
| parent | c8969dca3581cb82c5787f37bb4022f7af74cd15 (diff) | |
Escape URL parts on formatting local status (#4975)
| -rw-r--r-- | app/lib/formatter.rb | 2 | ||||
| -rw-r--r-- | spec/lib/formatter_spec.rb | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb index d9f843f44..575830190 100644 --- a/app/lib/formatter.rb +++ b/app/lib/formatter.rb @@ -137,7 +137,7 @@ class Formatter suffix = url[prefix.length + 30..-1] cutoff = url[prefix.length..-1].length > 30 - "<span class=\"invisible\">#{prefix}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{text}</span><span class=\"invisible\">#{suffix}</span>" + "<span class=\"invisible\">#{encode(prefix)}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{encode(text)}</span><span class=\"invisible\">#{encode(suffix)}</span>" end def hashtag_html(tag) diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index f9b7efac5..b714b317a 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -121,6 +121,22 @@ RSpec.describe Formatter do end end + context 'contains unsafe URL (XSS attack, visible part)' do + let(:text) { %q{http://example.com/b<del>b</del>} } + + it 'has escaped HTML' do + is_expected.to include '<del>b</del>' + end + end + + context 'contains unsafe URL (XSS attack, invisible part)' do + let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} } + + it 'has escaped HTML' do + is_expected.to include '<script>alert("Hello")</script>' + end + end + context 'contains HTML (script tag)' do let(:text) { '<script>alert("Hello")</script>' } |