Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-05 08:59:27 +08:00
Code Packages Activity Actions 11

Topic was not sanitizing <b> and <img> tags from titles

Browse source
This commit is contained in:
Robin Ward 2013-03-06 11:36:42 -05:00
parent e8eb60fe78
commit 30aae8e793
2 changed files with 14 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

16
spec/models/topic_spec.rb
View file

@ -110,10 +110,20 @@ describe Topic do
end
context 'html in title' do
let(:topic) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
let(:topic_bold) { Fabricate(:topic, title: "topic with <b>bold</b> text in its title" ) }
let(:topic_image) { Fabricate(:topic, title: "topic with <img src='something'> image in its title" ) }
let(:topic_script) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
it "should escape the HTML" do
topic.title.should == "is my topic title"
it "escapes script contents" do
topic_script.title.should == "is my topic title"
end
it "escapes bold contents" do
topic_bold.title.should == "topic with bold text in its title"
end
it "escapes bold contents" do
topic_image.title.should == "topic with image in its title"
end
end