nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

escape js in format_tags until I can think about whether we have an XSS problem in the morning

Browse source
This commit is contained in:
Raphael Sofaer 2011-07-07 21:54:34 -07:00
parent 27a08b895a
commit 8af95909c2
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
lib/diaspora/taggable.rb
View file

@ -4,6 +4,7 @@
module Diaspora module Diaspora
module Taggable module Taggable
extend ActionView::Helpers::JavaScriptHelper
VALID_TAG_BODY = /[^_,\s#*\[\]()\@\/"'\.%]+\b/ VALID_TAG_BODY = /[^_,\s#*\[\]()\@\/"'\.%]+\b/
def self.included(model) def self.included(model)
@ -39,7 +40,7 @@ module Diaspora
def self.format_tags(text, opts={}) def self.format_tags(text, opts={})
return text if opts[:plain_text] return text if opts[:plain_text]
regex = /(^|\s)#(#{VALID_TAG_BODY})/ regex = /(^|\s)#(#{VALID_TAG_BODY})/
form_message = text.gsub(regex) do |matched_string| form_message = escape_javascript(text).gsub(regex) do |matched_string|
"#{$~[1]}<a href=\"/tags/#{$~[2]}\" class=\"tag\">##{$~[2]}</a>" "#{$~[1]}<a href=\"/tags/#{$~[2]}\" class=\"tag\">##{$~[2]}</a>"
end end
form_message.html_safe form_message.html_safe