From ec36df97c4ea3da4bc177a96050c54cf8f35ba25 Mon Sep 17 00:00:00 2001 From: unarist Date: Sun, 17 Sep 2017 04:33:52 +0900 Subject: [PATCH] Escape URL parts on formatting local status (#4975) --- app/lib/formatter.rb | 2 +- spec/lib/formatter_spec.rb | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb index d9f843f44..575830190 100644 --- a/app/lib/formatter.rb +++ b/app/lib/formatter.rb @@ -137,7 +137,7 @@ class Formatter suffix = url[prefix.length + 30..-1] cutoff = url[prefix.length..-1].length > 30 - "#{prefix}#{text}#{suffix}" + "#{encode(prefix)}#{encode(text)}#{encode(suffix)}" end def hashtag_html(tag) diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index f9b7efac5..b714b317a 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -121,6 +121,22 @@ RSpec.describe Formatter do end end + context 'contains unsafe URL (XSS attack, visible part)' do + let(:text) { %q{http://example.com/bb} } + + it 'has escaped HTML' do + is_expected.to include '<del>b</del>' + end + end + + context 'contains unsafe URL (XSS attack, invisible part)' do + let(:text) { %q{http://example.com/blahblahblahblah/a} } + + it 'has escaped HTML' do + is_expected.to include '<script>alert("Hello")</script>' + end + end + context 'contains HTML (script tag)' do let(:text) { '' }