diff options
-rw-r--r-- | app/lib/formatter.rb | 2 | ||||
-rw-r--r-- | spec/lib/formatter_spec.rb | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb index d9f843f44..575830190 100644 --- a/app/lib/formatter.rb +++ b/app/lib/formatter.rb @@ -137,7 +137,7 @@ class Formatter suffix = url[prefix.length + 30..-1] cutoff = url[prefix.length..-1].length > 30 - "<span class=\"invisible\">#{prefix}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{text}</span><span class=\"invisible\">#{suffix}</span>" + "<span class=\"invisible\">#{encode(prefix)}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{encode(text)}</span><span class=\"invisible\">#{encode(suffix)}</span>" end def hashtag_html(tag) diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index f9b7efac5..b714b317a 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -121,6 +121,22 @@ RSpec.describe Formatter do end end + context 'contains unsafe URL (XSS attack, visible part)' do + let(:text) { %q{http://example.com/b<del>b</del>} } + + it 'has escaped HTML' do + is_expected.to include '<del>b</del>' + end + end + + context 'contains unsafe URL (XSS attack, invisible part)' do + let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} } + + it 'has escaped HTML' do + is_expected.to include '<script>alert("Hello")</script>' + end + end + context 'contains HTML (script tag)' do let(:text) { '<script>alert("Hello")</script>' } |