From 11afb2077288efd6ed224ebecf89bebacb330ed6 Mon Sep 17 00:00:00 2001 From: Guo Xiang Tan Date: Thu, 11 Aug 2016 11:27:12 +0800 Subject: [PATCH] SECURITY: Escape HTML in filename. --- lib/cooked_post_processor.rb | 4 ++-- spec/components/cooked_post_processor_spec.rb | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb index 7ae871b6359..720d1a6ff01 100644 --- a/lib/cooked_post_processor.rb +++ b/lib/cooked_post_processor.rb @@ -270,9 +270,9 @@ class CookedPostProcessor informations = "#{original_width}x#{original_height}" informations << " #{number_to_human_size(upload.filesize)}" if upload - a["title"] = img["title"] || filename + a["title"] = CGI.escapeHTML(img["title"] || filename) - meta.add_child create_span_node("filename", img["title"] || filename) + meta.add_child create_span_node("filename", a["title"]) meta.add_child create_span_node("informations", informations) meta.add_child create_span_node("expand") end diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb index f31b69484b1..79ef3a248a2 100644 --- a/spec/components/cooked_post_processor_spec.rb +++ b/spec/components/cooked_post_processor_spec.rb @@ -160,6 +160,14 @@ describe CookedPostProcessor do expect(cpp).to be_dirty end + it "should escape the filename" do + upload.update_attributes!(original_filename: ">.png") + cpp.post_process_images + expect(cpp.html).to match_html "

+&gt;&lt;img src=x onerror=alert(&#39;haha&#39;)&gt;.png1750x2000 1.21 KB +

" + end + end context "with title" do