SECURITY: XSS on chat excerpts

Non-markdown tags weren't being escaped in chat excerpts. This could be triggered by editing a chat message containing a tag (self XSS), or by replying to a chat message with a tag (XSS). Co-authored-by: Jan Cernik <jancernik12@gmail.com>
2025-02-25 18:55:32 -06:00 · 2023-03-16 13:40:43 -06:00
parent fd16eade7f
commit a373bf2a01
10 changed files with 68 additions and 9 deletions
--- a/plugins/chat/spec/system/chat_channel_spec.rb
+++ b/plugins/chat/spec/system/chat_channel_spec.rb
@@ -189,6 +189,34 @@ RSpec.describe "Chat channel", type: :system, js: true do
    end
  end

+  context "when replying to message that has tags" do
+    fab!(:other_user) { Fabricate(:user) }
+    fab!(:message_2) do
+      Fabricate(
+        :chat_message,
+        user: other_user,
+        chat_channel: channel_1,
+        message: "<mark>not marked</mark>",
+      )
+    end
+
+    before do
+      Fabricate(:chat_message, user: other_user, chat_channel: channel_1)
+      Fabricate(:chat_message, in_reply_to: message_2, user: current_user, chat_channel: channel_1)
+      channel_1.add(other_user)
+      channel_1.add(current_user)
+      sign_in(current_user)
+    end
+
+    it "escapes the reply-to line" do
+      chat.visit_channel(channel_1)
+
+      expect(find(".chat-reply .chat-reply__excerpt")["innerHTML"].strip).to eq(
+        "&lt;mark&gt;not marked&lt;/mark&gt;",
+      )
+    end
+  end
+
  context "when messages are separated by a day" do
    before do
      Fabricate(:chat_message, chat_channel: channel_1, created_at: 2.days.ago)