Commit 8cab970cd3df9dca50e9a75e860344d62f68b3ef
1 parent
f4480800
Exists in
master
and in
22 other branches
Fix XSS protection in article titles
(ActionItem1667)
Showing
4 changed files
with
26 additions
and
5 deletions
Show diff stats
app/models/article.rb
| ... | ... | @@ -26,7 +26,7 @@ class Article < ActiveRecord::Base |
| 26 | 26 | article.published_at = article.created_at if article.published_at.nil? |
| 27 | 27 | end |
| 28 | 28 | |
| 29 | - xss_terminate :only => [ :name ], :on => 'validation' | |
| 29 | + xss_terminate :only => [ :name ], :on => 'validation', :with => 'white_list' | |
| 30 | 30 | |
| 31 | 31 | named_scope :in_category, lambda { |category| |
| 32 | 32 | {:include => 'categories', :conditions => { 'categories.id' => category.id }} | ... | ... |
app/models/tiny_mce_article.rb
| ... | ... | @@ -8,9 +8,9 @@ class TinyMceArticle < TextArticle |
| 8 | 8 | _('Not accessible for visually impaired users.') |
| 9 | 9 | end |
| 10 | 10 | |
| 11 | - xss_terminate :except => [ :abstract, :body ] | |
| 11 | + xss_terminate :only => [ ] | |
| 12 | 12 | |
| 13 | - xss_terminate :only => [ :abstract, :body ], :with => 'white_list', :on => 'validation' | |
| 13 | + xss_terminate :only => [ :name, :abstract, :body ], :with => 'white_list', :on => 'validation' | |
| 14 | 14 | |
| 15 | 15 | include WhiteListFilter |
| 16 | 16 | filter_iframes :abstract, :body, :whitelist => lambda { profile && profile.environment && profile.environment.trusted_sites_for_iframe } | ... | ... |
test/unit/article_test.rb
| ... | ... | @@ -862,7 +862,24 @@ class ArticleTest < Test::Unit::TestCase |
| 862 | 862 | article.name = "<h1 Bla </h1>" |
| 863 | 863 | article.valid? |
| 864 | 864 | |
| 865 | - assert article.errors.invalid?(:name) | |
| 865 | + assert_no_match /<[^>]*</, article.name | |
| 866 | + end | |
| 867 | + | |
| 868 | + should 'not doubly escape quotes in the name' do | |
| 869 | + profile = fast_create(Profile) | |
| 870 | + a = fast_create(Article, :profile_id => profile.id) | |
| 871 | + p = PublishedArticle.create!(:reference_article => a, :profile => fast_create(Community)) | |
| 872 | + | |
| 873 | + p.name = 'title with "quotes"' | |
| 874 | + p.save | |
| 875 | + assert_equal 'title with "quotes"', p.name | |
| 876 | + end | |
| 877 | + | |
| 878 | + should 'remove script tags from name' do | |
| 879 | + a = Article.new(:name => 'hello <script>alert(1)</script>') | |
| 880 | + a.valid? | |
| 881 | + | |
| 882 | + assert_no_match(/<script>/, a.name) | |
| 866 | 883 | end |
| 867 | 884 | |
| 868 | 885 | should 'escape malformed html tags' do |
| ... | ... | @@ -878,5 +895,4 @@ class ArticleTest < Test::Unit::TestCase |
| 878 | 895 | article.name = 'a123456789abcdefghij' |
| 879 | 896 | assert_equal 'a123456789ab...', article.short_title |
| 880 | 897 | end |
| 881 | - | |
| 882 | 898 | end | ... | ... |
test/unit/tiny_mce_article_test.rb
| ... | ... | @@ -113,4 +113,9 @@ class TinyMceArticleTest < Test::Unit::TestCase |
| 113 | 113 | assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, article.body |
| 114 | 114 | end |
| 115 | 115 | |
| 116 | + should 'not allow XSS on name' do | |
| 117 | + article = TinyMceArticle.create!(:name => 'title with <script>alert("xss")</script>', :profile => profile) | |
| 118 | + assert_no_match /script/, article.name | |
| 119 | + end | |
| 120 | + | |
| 116 | 121 | end | ... | ... |