Download as
Browse Code »

Commit 57e4738a0f1c4fb784bb351c6b344c4cbeb88a97

Authored by Antonio Terceiro
1 parent c418fd0b
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Fix XSS possibility caused by quotes in article title/body

Showing 3 changed files with 18 additions and 14 deletions   Show diff stats
app/helpers/application_helper.rb
  Diff comments   View file @57e4738
@@ -907,13 +907,15 @@ module ApplicationHelper @@ -907,13 +907,15 @@ module ApplicationHelper
907 end 907 end
908 908
909 def page_title 909 def page_title
910 - (@page ? @page.title + ' - ' : '') +  
911 - (@topic ? @topic.title + ' - ' : '') +  
912 - (@section ? @section.title + ' - ' : '') +  
913 - (@toc ? _('Online Manual') + ' - ' : '') +  
914 - (controller.controller_name == 'chat' ? _('Chat') + ' - ' : '') +  
915 - (profile ? profile.short_name : environment.name) +  
916 - (@category ? " - #{@category.full_name}" : '') 910 + CGI.escapeHTML(
  911 + (@page ? @page.title + ' - ' : '') +
  912 + (@topic ? @topic.title + ' - ' : '') +
  913 + (@section ? @section.title + ' - ' : '') +
  914 + (@toc ? _('Online Manual') + ' - ' : '') +
  915 + (controller.controller_name == 'chat' ? _('Chat') + ' - ' : '') +
  916 + (profile ? profile.short_name : environment.name) +
  917 + (@category ? " - #{@category.full_name}" : '')
  918 + )
917 end 919 end
918 920
919 # DEPRECATED. Do not use this. 921 # DEPRECATED. Do not use this.
@@ -1285,11 +1287,13 @@ module ApplicationHelper @@ -1285,11 +1287,13 @@ module ApplicationHelper
1285 end 1287 end
1286 1288
1287 def delete_article_message(article) 1289 def delete_article_message(article)
1288 - if article.folder?  
1289 - _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name  
1290 - else  
1291 - _("Are you sure that you want to remove the item \"%s\"?") % article.name  
1292 - end 1290 + CGI.escapeHTML(
  1291 + if article.folder?
  1292 + _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name
  1293 + else
  1294 + _("Are you sure that you want to remove the item \"%s\"?") % article.name
  1295 + end
  1296 + )
1293 end 1297 end
1294 1298
1295 def expirable_link_to(expired, content, url, options = {}) 1299 def expirable_link_to(expired, content, url, options = {})
app/helpers/layout_helper.rb
  Diff comments   View file @57e4738
@@ -91,7 +91,7 @@ module LayoutHelper @@ -91,7 +91,7 @@ module LayoutHelper
91 end 91 end
92 92
93 def meta_description_tag(article=nil) 93 def meta_description_tag(article=nil)
94 - article ? truncate(strip_tags(article.body.to_s), :length => 200) : environment.name 94 + article ? CGI.escapeHTML(truncate(strip_tags(article.body.to_s), :length => 200)) : environment.name
95 end 95 end
96 end 96 end
97 97
app/views/layouts/application-ng.html.erb
  Diff comments   View file @57e4738
@@ -17,7 +17,7 @@ @@ -17,7 +17,7 @@
17 <meta property="og:url" content="<%= @page ? url_for(@page.url) : @environment.top_url %>"> 17 <meta property="og:url" content="<%= @page ? url_for(@page.url) : @environment.top_url %>">
18 <meta property="og:title" content="<%= h page_title %>"> 18 <meta property="og:title" content="<%= h page_title %>">
19 <meta property="og:site_name" content="<%= profile ? profile.name : @environment.name %>"> 19 <meta property="og:site_name" content="<%= profile ? profile.name : @environment.name %>">
20 - <meta property="og:description" content="<%= @page ? truncate(strip_tags(@page.body.to_s), :length => 200) : @environment.name %>"> 20 + <meta property="og:description" content="<%= meta_description_tag(@page) %>">
21 21
22 <!-- site root --> 22 <!-- site root -->
23 <meta property="noosfero:root" content="<%= Noosfero.root %>"/> 23 <meta property="noosfero:root" content="<%= Noosfero.root %>"/>