Avoid string manipulation when autolinking.
Instead, let's use a Loofah scrubber which will create DOM nodes directly. This should be faster and is a tiny bit simpler, as well as removing a potential HTML injection vector. Also, add "noreferrer" to all `mailto:` links (already present on URLs).
This commit is contained in:
@@ -60,6 +60,15 @@ class HtmlHelperTest < ActionView::TestCase
|
||||
format_html(%(<img src="https://example.com/"!>))
|
||||
end
|
||||
|
||||
test "make sure the linked content is properly sanitized" do
|
||||
# https://hackerone.com/reports/3481093
|
||||
result = format_html(%(https://google.com/\">test</a><input></input>))
|
||||
assert_no_match(/<input>/i, result, "should not create an input element")
|
||||
|
||||
result = format_html(%(https://google.com/\"><script>alert('xss')</script>))
|
||||
assert_no_match(/<script>/i, result, "should not create a script element")
|
||||
end
|
||||
|
||||
test "handle URLs with query parameters" do
|
||||
# use assert_equal and not assert_equal_html to make sure we're getting entities correct
|
||||
assert_equal \
|
||||
@@ -79,7 +88,7 @@ class HtmlHelperTest < ActionView::TestCase
|
||||
|
||||
test "convert email addresses into mailto links" do
|
||||
assert_equal_html \
|
||||
%(<p>Contact us at <a href="mailto:support@example.com">support@example.com</a></p>),
|
||||
%(<p>Contact us at <a href="mailto:support@example.com" rel="noreferrer">support@example.com</a></p>),
|
||||
format_html("<p>Contact us at support@example.com</p>")
|
||||
end
|
||||
|
||||
|
||||
Reference in New Issue
Block a user