Skip to content

Commit

Permalink
SECURITY: Properly escape user input when generating email HTML (#455)
Browse files Browse the repository at this point in the history
  • Loading branch information
davidtaylorhq authored Oct 16, 2023
1 parent bd093da commit 9788310
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 3 deletions.
1 change: 0 additions & 1 deletion .discourse-compatibility
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
3.1.999: afc2ee684de41601d6cecc46713d139760f176a6
3.1.0.beta3: 10077ca904956005f9fa83c3d9fb124b59e8c47b
2.9.0.beta13: b4c366b35d6f9778e54a878aa083348e8a45e86e
2.9.0.beta9: 6f16ae10dc0306d6e1369e0d1414416d7e72141d
Expand Down
4 changes: 2 additions & 2 deletions plugin.rb
Original file line number Diff line number Diff line change
Expand Up @@ -429,8 +429,8 @@ module ::DiscoursePostEvent
event_name = event_node["data-name"] || post.topic.title
event_node.replace <<~TXT
<div style='border:1px solid #dedede'>
<p><a href="#{Discourse.base_url}#{post.url}">#{event_name}</a></p>
<p>#{dates}</p>
<p><a href="#{Discourse.base_url}#{post.url}">#{CGI.escape_html(event_name)}</a></p>
<p>#{CGI.escape_html(dates)}</p>
</div>
TXT
end
Expand Down
14 changes: 14 additions & 0 deletions spec/lib/discourse_post_event/pretty_text_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@

context "when the event has a name" do
let(:post_1) { create_post_with_event(user_1, 'name="Pancakes event"') }
let(:post_2) do
create_post_with_event(user_1, 'name="Pancakes event <a>with html chars</a>"')
end

it "displays the event name" do
cooked = PrettyText.cook(post_1.raw)
Expand All @@ -41,6 +44,17 @@
</div>
HTML
end

it "properly escapes title" do
cooked = PrettyText.cook(post_2.raw)

expect(PrettyText.format_for_email(cooked, post_2)).to match_html(<<~HTML)
<div style='border:1px solid #dedede'>
<p><a href="#{Discourse.base_url}#{post_2.url}">Pancakes event &lt;a&gt;with html chars&lt;/a&gt;</a></p>
<p>2018-06-05T18:39:50.000Z (UTC)</p>
</div>
HTML
end
end

context "when the event has an end date" do
Expand Down

0 comments on commit 9788310

Please sign in to comment.