Fix HTML injection in webhooks through card titles

This commit is contained in:
Stanko K.R.
2025-12-22 12:20:32 +01:00
parent 641e67dc2e
commit 0df667f4fb
2 changed files with 11 additions and 1 deletions
+1 -1
View File
@@ -14,7 +14,7 @@ class Event::Description
end
def to_plain_text
to_sentence(creator_name, card.title)
to_sentence(creator_name, h(card.title))
end
private
+10
View File
@@ -32,4 +32,14 @@ class Event::DescriptionTest < ActiveSupport::TestCase
assert_includes description.to_plain_text, "David added"
end
test "escapes html in card titles in plain text description" do
card = cards(:logo)
card.update_column(:title, "<script>alert('xss')</script>")
description = events(:logo_published).description_for(users(:david))
assert_includes description.to_plain_text, "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;"
assert_not_includes description.to_plain_text, "<script>"
end
end