FEATURE: Treat site settings as plain text and add a new HTML type. (#12618)

To add an extra layer of security, we sanitize settings before shipping them to the client. We don't sanitize those that have the "html" type. The CookedPostProcessor already uses Loofah for sanitization, so I chose to also use it for this. I added it to our gemfile since we installed it as a transitive dependency.
2025-02-25 18:55:32 -06:00 · 2021-04-07 12:51:19 -03:00
parent 11e611f845
commit 5e4c0e2caa
11 changed files with 74 additions and 8 deletions
--- a/spec/components/site_setting_extension_spec.rb
+++ b/spec/components/site_setting_extension_spec.rb
@@ -631,7 +631,7 @@ describe SiteSettingExtension do
    end

    it "is present in all_settings when we ask for hidden" do
-      expect(settings.all_settings(true).find { |s| s[:setting] == :superman_identity }).to be_present
+      expect(settings.all_settings(include_hidden: true).find { |s| s[:setting] == :superman_identity }).to be_present
    end
  end

@@ -842,6 +842,23 @@ describe SiteSettingExtension do
        expect(setting[:default]).to eq(system_upload.url)
      end
    end
+
+    it 'should sanitize html in the site settings' do
+      settings.setting(:with_html, '<script></script>rest')
+      settings.refresh!
+
+      setting = settings.all_settings(sanitize_plain_text_settings: true).last
+
+      expect(setting[:value]).to eq('rest')
+    end
+
+    it 'settings with html type are not sanitized' do
+      settings.setting(:with_html, '<script></script>rest', type: :html)
+
+      setting = settings.all_settings(sanitize_plain_text_settings: true).last
+
+      expect(setting[:value]).to eq('<script></script>rest')
+    end
  end

  describe '.client_settings_json_uncached' do
@@ -855,6 +872,27 @@ describe SiteSettingExtension do
        %Q|{"default_locale":"#{SiteSetting.default_locale}","upload_type":"#{upload.url}","string_type":"haha"}|
      )
    end
+
+    it 'should sanitize html in the site settings' do
+      settings.setting(:with_html, '<script></script>rest', client: true)
+      settings.setting(:with_symbols, '<>rest', client: true)
+      settings.setting(:with_unknown_tag, '<rest>rest', client: true)
+      settings.refresh!
+
+      client_settings = JSON.parse settings.client_settings_json_uncached
+
+      expect(client_settings['with_html']).to eq('rest')
+      expect(client_settings['with_symbols']).to eq('<>rest')
+      expect(client_settings['with_unknown_tag']).to eq('rest')
+    end
+
+    it 'settings with html type are not sanitized' do
+      settings.setting(:with_html, '<script></script>rest', type: :html, client: true)
+
+      client_settings = JSON.parse settings.client_settings_json_uncached
+
+      expect(client_settings['with_html']).to eq('<script></script>rest')
+    end
  end

  describe '.setup_methods' do
--- a/spec/components/site_settings/type_supervisor_spec.rb
+++ b/spec/components/site_settings/type_supervisor_spec.rb
@@ -94,6 +94,9 @@ describe SiteSettings::TypeSupervisor do
      it "'emoji_list' should be at the right position" do
        expect(SiteSettings::TypeSupervisor.types[:emoji_list]).to eq(24)
      end
+      it "'html' should be at the right position" do
+        expect(SiteSettings::TypeSupervisor.types[:html]).to eq(25)
+      end
    end
  end