Escape URL parts on formatting local status (#4975)
parent
c8969dca35
commit
ec36df97c4
|
@ -137,7 +137,7 @@ class Formatter
|
||||||
suffix = url[prefix.length + 30..-1]
|
suffix = url[prefix.length + 30..-1]
|
||||||
cutoff = url[prefix.length..-1].length > 30
|
cutoff = url[prefix.length..-1].length > 30
|
||||||
|
|
||||||
"<span class=\"invisible\">#{prefix}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{text}</span><span class=\"invisible\">#{suffix}</span>"
|
"<span class=\"invisible\">#{encode(prefix)}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{encode(text)}</span><span class=\"invisible\">#{encode(suffix)}</span>"
|
||||||
end
|
end
|
||||||
|
|
||||||
def hashtag_html(tag)
|
def hashtag_html(tag)
|
||||||
|
|
|
@ -121,6 +121,22 @@ RSpec.describe Formatter do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'contains unsafe URL (XSS attack, visible part)' do
|
||||||
|
let(:text) { %q{http://example.com/b<del>b</del>} }
|
||||||
|
|
||||||
|
it 'has escaped HTML' do
|
||||||
|
is_expected.to include '<del>b</del>'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'contains unsafe URL (XSS attack, invisible part)' do
|
||||||
|
let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} }
|
||||||
|
|
||||||
|
it 'has escaped HTML' do
|
||||||
|
is_expected.to include '<script>alert("Hello")</script>'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context 'contains HTML (script tag)' do
|
context 'contains HTML (script tag)' do
|
||||||
let(:text) { '<script>alert("Hello")</script>' }
|
let(:text) { '<script>alert("Hello")</script>' }
|
||||||
|
|
||||||
|
|
Reference in New Issue