Fix HTML injection in webhooks through card titles
This commit is contained in:
@@ -14,7 +14,7 @@ class Event::Description
|
||||
end
|
||||
|
||||
def to_plain_text
|
||||
to_sentence(creator_name, card.title)
|
||||
to_sentence(creator_name, h(card.title))
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
@@ -32,4 +32,14 @@ class Event::DescriptionTest < ActiveSupport::TestCase
|
||||
|
||||
assert_includes description.to_plain_text, "David added"
|
||||
end
|
||||
|
||||
test "escapes html in card titles in plain text description" do
|
||||
card = cards(:logo)
|
||||
card.update_column(:title, "<script>alert('xss')</script>")
|
||||
|
||||
description = events(:logo_published).description_for(users(:david))
|
||||
|
||||
assert_includes description.to_plain_text, "<script>alert('xss')</script>"
|
||||
assert_not_includes description.to_plain_text, "<script>"
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user