From 0df667f4fbdcd2b572396674e4853927954807cf Mon Sep 17 00:00:00 2001 From: "Stanko K.R." Date: Mon, 22 Dec 2025 12:20:32 +0100 Subject: [PATCH] Fix HTML injection in webhooks through card titles --- app/models/event/description.rb | 2 +- test/models/event/description_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/app/models/event/description.rb b/app/models/event/description.rb index 672784ddb..f44233011 100644 --- a/app/models/event/description.rb +++ b/app/models/event/description.rb @@ -14,7 +14,7 @@ class Event::Description end def to_plain_text - to_sentence(creator_name, card.title) + to_sentence(creator_name, h(card.title)) end private diff --git a/test/models/event/description_test.rb b/test/models/event/description_test.rb index e5bd583a7..3139a0c47 100644 --- a/test/models/event/description_test.rb +++ b/test/models/event/description_test.rb @@ -32,4 +32,14 @@ class Event::DescriptionTest < ActiveSupport::TestCase assert_includes description.to_plain_text, "David added" end + + test "escapes html in card titles in plain text description" do + card = cards(:logo) + card.update_column(:title, "") + + description = events(:logo_published).description_for(users(:david)) + + assert_includes description.to_plain_text, "<script>alert('xss')</script>" + assert_not_includes description.to_plain_text, "