IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-25 10:20:58 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Stripping links could unescape html fragments

Browse Source
This commit is contained in:
Robin Ward 2014-09-17 12:08:00 -04:00
parent c16b8364ab
commit 19b4364d79
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/pretty_text.rb
View File

@ -250,7 +250,7 @@ module PrettyText
# If the user is not basic, strip links from their bio
fragment = Nokogiri::HTML.fragment(string)
fragment.css('a').each {|a| a.replace(a.text) }
fragment.css('a').each {|a| a.replace(a.inner_html) }
fragment.to_html
end

4
spec/components/pretty_text_spec.rb
View File

@ -218,6 +218,10 @@ describe PrettyText do
it "strips links but leaves the text content" do
expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'>batman</a>")).to eq("I'm the linked batman")
end
it "escapes the text content" do
expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'>&lt;batman&gt;</a>")).to eq("I'm the linked &lt;batman&gt;")
end
end
describe "make_all_links_absolute" do