Download as
Browse Code »

Commit 062a7dee5ed3b9b6fc4df5a089606db88b60abf4

Authored by Rodrigo Souto
Committed by Antonio Terceiro
1 parent 66244e27
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Fixing xss vulnerability 

(ActionItem1630)
Showing 4 changed files with 13 additions and 3 deletions   Show diff stats
app/views/profile/content_tagged.rhtml
  Diff comments   View file @062a7de
1 <% add_rss_feed_to_head(_("%s's contents tagged with \"%s\"") % [profile.name, @tag], tag_feed_path) %> 1 <% add_rss_feed_to_head(_("%s's contents tagged with \"%s\"") % [profile.name, @tag], tag_feed_path) %>
2 2
3 -<h1><%= _('Content tagged with "%s"') % @tag %></h1> 3 +<h1><%= _('Content tagged with "%s"') % CGI.escapeHTML(@tag) %></h1>
4 4
5 <p> 5 <p>
6 <%= link_to image_tag('icons-mime/rss-feed.png', :alt => _('Feed for this tag'), :title => _('Feed for this tag')), tag_feed_path, :class => 'blog-feed-link'%> 6 <%= link_to image_tag('icons-mime/rss-feed.png', :alt => _('Feed for this tag'), :title => _('Feed for this tag')), tag_feed_path, :class => 'blog-feed-link'%>
@@ -18,6 +18,6 @@ @@ -18,6 +18,6 @@
18 <%= pagination_links @tagged, :param_name => 'npage' %> 18 <%= pagination_links @tagged, :param_name => 'npage' %>
19 19
20 <div> 20 <div>
21 - <%= link_to _('See content tagged with "%s" in the entire site') % @tag, :controller => 'search', :action => 'tag', :tag => @tag %> 21 + <%= link_to _('See content tagged with "%s" in the entire site') % CGI.escapeHTML(@tag), :controller => 'search', :action => 'tag', :tag => @tag %>
22 </div> 22 </div>
23 <% end %> 23 <% end %>
app/views/search/index.rhtml
  Diff comments   View file @062a7de
1 <div id="search-page"> 1 <div id="search-page">
2 2
3 -<%= search_page_title(_('Search Results'), :query => @query, :category => @category ? @category.name : nil, :total_results => @total_results) %> 3 +<%= search_page_title(_('Search Results'), :query => CGI.escapeHTML(@query), :category => @category ? @category.name : nil, :total_results => @total_results) %>
4 4
5 <%= render :partial => 'search_form', :locals => { :form_title => _("Refine your search"), :simple_search => true } %> 5 <%= render :partial => 'search_form', :locals => { :form_title => _("Refine your search"), :simple_search => true } %>
6 6
test/functional/profile_controller_test.rb
  Diff comments   View file @062a7de
@@ -716,6 +716,11 @@ class ProfileControllerTest &lt; Test::Unit::TestCase @@ -716,6 +716,11 @@ class ProfileControllerTest &lt; Test::Unit::TestCase
716 assert_response 302 716 assert_response 302
717 end 717 end
718 718
  719 + should 'escape xss attack in tag feed' do
  720 + get :content_tagged, :profile => profile.identifier, :id => "<wslite>"
  721 + assert_no_tag :tag => 'wslite'
  722 + end
  723 +
719 should 'reverse the order of posts in tag feed' do 724 should 'reverse the order of posts in tag feed' do
720 TextileArticle.create!(:name => 'First post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now) 725 TextileArticle.create!(:name => 'First post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now)
721 TextileArticle.create!(:name => 'Second post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now + 1.day) 726 TextileArticle.create!(:name => 'Second post', :profile => profile, :tag_list => 'tag1', :published_at => Time.now + 1.day)
test/functional/search_controller_test.rb
  Diff comments   View file @062a7de
@@ -50,6 +50,11 @@ class SearchControllerTest &lt; Test::Unit::TestCase @@ -50,6 +50,11 @@ class SearchControllerTest &lt; Test::Unit::TestCase
50 assert_equal 'carne vaca', assigns('filtered_query') 50 assert_equal 'carne vaca', assigns('filtered_query')
51 end 51 end
52 52
  53 + should 'espape xss attack' do
  54 + get 'index', :query => '<wslite>'
  55 + assert_no_tag :tag => 'wslite'
  56 + end
  57 +
53 should 'search only in specified types of content' do 58 should 'search only in specified types of content' do
54 get :index, :query => 'something not important', :find_in => [ 'articles' ] 59 get :index, :query => 'something not important', :find_in => [ 'articles' ]
55 assert_equal [:articles], assigns(:results).keys 60 assert_equal [:articles], assigns(:results).keys