diff --git a/app/views/profile/content_tagged.rhtml b/app/views/profile/content_tagged.rhtml index a8d8427..224f5ec 100644 --- a/app/views/profile/content_tagged.rhtml +++ b/app/views/profile/content_tagged.rhtml @@ -1,6 +1,6 @@ <% add_rss_feed_to_head(_("%s's contents tagged with \"%s\"") % [profile.name, @tag], tag_feed_path) %> -

<%= _('Content tagged with "%s"') % @tag %>

+

<%= _('Content tagged with "%s"') % CGI.escapeHTML(@tag) %>

<%= link_to image_tag('icons-mime/rss-feed.png', :alt => _('Feed for this tag'), :title => _('Feed for this tag')), tag_feed_path, :class => 'blog-feed-link'%> @@ -18,6 +18,6 @@ <%= pagination_links @tagged, :param_name => 'npage' %>

- <%= link_to _('See content tagged with "%s" in the entire site') % @tag, :controller => 'search', :action => 'tag', :tag => @tag %> + <%= link_to _('See content tagged with "%s" in the entire site') % CGI.escapeHTML(@tag), :controller => 'search', :action => 'tag', :tag => @tag %>
<% end %> diff --git a/app/views/search/index.rhtml b/app/views/search/index.rhtml index 38b16bd..54b3bf5 100644 --- a/app/views/search/index.rhtml +++ b/app/views/search/index.rhtml @@ -1,6 +1,6 @@
-<%= search_page_title(_('Search Results'), :query => @query, :category => @category ? @category.name : nil, :total_results => @total_results) %> +<%= search_page_title(_('Search Results'), :query => CGI.escapeHTML(@query), :category => @category ? @category.name : nil, :total_results => @total_results) %> <%= render :partial => 'search_form', :locals => { :form_title => _("Refine your search"), :simple_search => true } %> diff --git a/test/functional/profile_controller_test.rb b/test/functional/profile_controller_test.rb index 7c33326..aecb981 100644 --- a/test/functional/profile_controller_test.rb +++ b/test/functional/profile_controller_test.rb @@ -716,6 +716,11 @@ class ProfileControllerTest < Test::Unit::TestCase assert_response 302 end + should 'escape xss attack in tag feed' do + get :content_tagged, :profile => profile.identifier, :id => "" + assert_no_tag :tag => 'wslite' + end + should 'reverse the order of posts in tag feed' do TextileArticle.create!(:name => 'First post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now) TextileArticle.create!(:name => 'Second post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now + 1.day) diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb index 832f671..7c67db9 100644 --- a/test/functional/search_controller_test.rb +++ b/test/functional/search_controller_test.rb @@ -50,6 +50,11 @@ class SearchControllerTest < Test::Unit::TestCase assert_equal 'carne vaca', assigns('filtered_query') end + should 'espape xss attack' do + get 'index', :query => '' + assert_no_tag :tag => 'wslite' + end + should 'search only in specified types of content' do get :index, :query => 'something not important', :find_in => [ 'articles' ] assert_equal [:articles], assigns(:results).keys -- libgit2 0.21.2