SECURITY: escape title HTML for inline onebox

2024-11-26 02:40:53 -06:00 · 2019-01-10 12:02:05 +11:00 · 2019-01-10 12:02:05 +11:00 · 35b59cfa78
commit 35b59cfa78
parent c85b9c6ed3
2 changed files with 4 additions and 3 deletions
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@ -655,7 +655,7 @@ class CookedPostProcessor
    )

    if title = inline_onebox&.dig(:title)
-      element.children = title
+      element.children = CGI.escapeHTML(title)
      element.add_class(INLINE_ONEBOX_CSS_CLASS)
    end

--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@ -185,7 +185,8 @@ describe CookedPostProcessor do
          ]
        end

-        let(:title) { 'some title' }
+        let(:title) { '<b>some title</b>' }
+        let(:escaped_title) { CGI.escapeHTML(title) }

        let(:post) do
          Fabricate(:post, raw: <<~RAW)
@ -203,7 +204,7 @@ describe CookedPostProcessor do
          urls.each do |url|
            stub_request(:get, url).to_return(
              status: 200,
-              body: "<html><head><title>#{title}</title></head></html>"
+              body: "<html><head><title>#{escaped_title}</title></head></html>"
            )
          end
        end