Merge pull request #2228 from basecamp/fix-html-injection-in-webhook-event-descriptions-through-card-titles

Fix HTML injection in webhooks through card titles
This commit is contained in:
Stanko Krtalić
2025-12-22 12:23:10 +01:00
committed by GitHub
2 changed files with 11 additions and 1 deletions
+1 -1
View File
@@ -14,7 +14,7 @@ class Event::Description
end
def to_plain_text
to_sentence(creator_name, card.title)
to_sentence(creator_name, h(card.title))
end
private
+10
View File
@@ -32,4 +32,14 @@ class Event::DescriptionTest < ActiveSupport::TestCase
assert_includes description.to_plain_text, "David added"
end
test "escapes html in card titles in plain text description" do
card = cards(:logo)
card.update_column(:title, "<script>alert('xss')</script>")
description = events(:logo_published).description_for(users(:david))
assert_includes description.to_plain_text, "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;"
assert_not_includes description.to_plain_text, "<script>"
end
end