nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch '760-XSS-with-person-name' of https://github.com/Dorian/diaspora into Dorian-760-XSS-with-person-name

Browse source
This commit is contained in:
MrZYX 2010-12-24 15:56:00 +01:00
commit 6ba2e0b68d
2 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/helpers/application_helper.rb
View file

@ -124,7 +124,7 @@ module ApplicationHelper
end end
def person_image_tag(person, size=:thumb_small) def person_image_tag(person, size=:thumb_small)
"<img alt='#{person.name}' class='avatar' data-person_id='#{person.id}' src='#{image_or_default(person, size)}' title='#{person.name}'>".html_safe "<img alt=\"#{h(person.name)}\" class=\"avatar\" data-person_id=\"#{person.id}\" src=\"#{image_or_default(person, size)}\" title=\"#{h(person.name)}\">".html_safe
end end
def person_link(person) def person_link(person)

8
spec/helpers/application_helper_spec.rb
View file

@ -42,6 +42,14 @@ describe ApplicationHelper do
end end
end end
describe "#person_image_tag" do
it "should not allow basic XSS/HTML" do
@person.profile.first_name = "I'm <h1>Evil"
@person.profile.last_name = "I'm <h1>Evil"
person_image_tag(@person).should_not include("<h1>")
end
end
describe "markdownify" do describe "markdownify" do
describe "autolinks" do describe "autolinks" do
it "should not allow basic XSS/HTML" do it "should not allow basic XSS/HTML" do