Download as
Browse Code »

Commit 8cab970cd3df9dca50e9a75e860344d62f68b3ef

Authored by Antonio Terceiro
1 parent f4480800
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Fix XSS protection in article titles 

(ActionItem1667)
Showing 4 changed files with 26 additions and 5 deletions   Show diff stats
app/models/article.rb
  Diff comments   View file @8cab970
... ... @@ -26,7 +26,7 @@ class Article < ActiveRecord::Base
26 26 article.published_at = article.created_at if article.published_at.nil?
27 27 end
28 28  
29   - xss_terminate :only => [ :name ], :on => 'validation'
  29 + xss_terminate :only => [ :name ], :on => 'validation', :with => 'white_list'
30 30  
31 31 named_scope :in_category, lambda { |category|
32 32 {:include => 'categories', :conditions => { 'categories.id' => category.id }}
... ...
app/models/tiny_mce_article.rb
  Diff comments   View file @8cab970
... ... @@ -8,9 +8,9 @@ class TinyMceArticle < TextArticle
8 8 _('Not accessible for visually impaired users.')
9 9 end
10 10  
11   - xss_terminate :except => [ :abstract, :body ]
  11 + xss_terminate :only => [ ]
12 12  
13   - xss_terminate :only => [ :abstract, :body ], :with => 'white_list', :on => 'validation'
  13 + xss_terminate :only => [ :name, :abstract, :body ], :with => 'white_list', :on => 'validation'
14 14  
15 15 include WhiteListFilter
16 16 filter_iframes :abstract, :body, :whitelist => lambda { profile && profile.environment && profile.environment.trusted_sites_for_iframe }
... ...
test/unit/article_test.rb
  Diff comments   View file @8cab970
... ... @@ -862,7 +862,24 @@ class ArticleTest < Test::Unit::TestCase
862 862 article.name = "<h1 Bla </h1>"
863 863 article.valid?
864 864  
865   - assert article.errors.invalid?(:name)
  865 + assert_no_match /<[^>]*</, article.name
  866 + end
  867 +
  868 + should 'not doubly escape quotes in the name' do
  869 + profile = fast_create(Profile)
  870 + a = fast_create(Article, :profile_id => profile.id)
  871 + p = PublishedArticle.create!(:reference_article => a, :profile => fast_create(Community))
  872 +
  873 + p.name = 'title with "quotes"'
  874 + p.save
  875 + assert_equal 'title with "quotes"', p.name
  876 + end
  877 +
  878 + should 'remove script tags from name' do
  879 + a = Article.new(:name => 'hello <script>alert(1)</script>')
  880 + a.valid?
  881 +
  882 + assert_no_match(/<script>/, a.name)
866 883 end
867 884  
868 885 should 'escape malformed html tags' do
... ... @@ -878,5 +895,4 @@ class ArticleTest &lt; Test::Unit::TestCase
878 895 article.name = 'a123456789abcdefghij'
879 896 assert_equal 'a123456789ab...', article.short_title
880 897 end
881   -
882 898 end
... ...
test/unit/tiny_mce_article_test.rb
  Diff comments   View file @8cab970
... ... @@ -113,4 +113,9 @@ class TinyMceArticleTest &lt; Test::Unit::TestCase
113 113 assert_match /<!-- .* --> <h1> Wellformed html code <\/h1>/, article.body
114 114 end
115 115  
  116 + should 'not allow XSS on name' do
  117 + article = TinyMceArticle.create!(:name => 'title with <script>alert("xss")</script>', :profile => profile)
  118 + assert_no_match /script/, article.name
  119 + end
  120 +
116 121 end
... ...