diff --git a/app/views/profile/content_tagged.rhtml b/app/views/profile/content_tagged.rhtml
index a8d8427..224f5ec 100644
--- a/app/views/profile/content_tagged.rhtml
+++ b/app/views/profile/content_tagged.rhtml
@@ -1,6 +1,6 @@
<% add_rss_feed_to_head(_("%s's contents tagged with \"%s\"") % [profile.name, @tag], tag_feed_path) %>
-
<%= _('Content tagged with "%s"') % @tag %>
+<%= _('Content tagged with "%s"') % CGI.escapeHTML(@tag) %>
<%= link_to image_tag('icons-mime/rss-feed.png', :alt => _('Feed for this tag'), :title => _('Feed for this tag')), tag_feed_path, :class => 'blog-feed-link'%>
@@ -18,6 +18,6 @@
<%= pagination_links @tagged, :param_name => 'npage' %>
- <%= link_to _('See content tagged with "%s" in the entire site') % @tag, :controller => 'search', :action => 'tag', :tag => @tag %>
+ <%= link_to _('See content tagged with "%s" in the entire site') % CGI.escapeHTML(@tag), :controller => 'search', :action => 'tag', :tag => @tag %>
<% end %>
diff --git a/app/views/search/index.rhtml b/app/views/search/index.rhtml
index 38b16bd..54b3bf5 100644
--- a/app/views/search/index.rhtml
+++ b/app/views/search/index.rhtml
@@ -1,6 +1,6 @@
-<%= search_page_title(_('Search Results'), :query => @query, :category => @category ? @category.name : nil, :total_results => @total_results) %>
+<%= search_page_title(_('Search Results'), :query => CGI.escapeHTML(@query), :category => @category ? @category.name : nil, :total_results => @total_results) %>
<%= render :partial => 'search_form', :locals => { :form_title => _("Refine your search"), :simple_search => true } %>
diff --git a/test/functional/profile_controller_test.rb b/test/functional/profile_controller_test.rb
index 7c33326..aecb981 100644
--- a/test/functional/profile_controller_test.rb
+++ b/test/functional/profile_controller_test.rb
@@ -716,6 +716,11 @@ class ProfileControllerTest < Test::Unit::TestCase
assert_response 302
end
+ should 'escape xss attack in tag feed' do
+ get :content_tagged, :profile => profile.identifier, :id => ""
+ assert_no_tag :tag => 'wslite'
+ end
+
should 'reverse the order of posts in tag feed' do
TextileArticle.create!(:name => 'First post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now)
TextileArticle.create!(:name => 'Second post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now + 1.day)
diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb
index 832f671..7c67db9 100644
--- a/test/functional/search_controller_test.rb
+++ b/test/functional/search_controller_test.rb
@@ -50,6 +50,11 @@ class SearchControllerTest < Test::Unit::TestCase
assert_equal 'carne vaca', assigns('filtered_query')
end
+ should 'espape xss attack' do
+ get 'index', :query => ''
+ assert_no_tag :tag => 'wslite'
+ end
+
should 'search only in specified types of content' do
get :index, :query => 'something not important', :find_in => [ 'articles' ]
assert_equal [:articles], assigns(:results).keys
--
libgit2 0.21.2