Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-08-21 19:11:18 +08:00
Code Packages Activity Actions 15

SECURITY: fix XSS in excerpt parser

Browse source
This commit is contained in:
Sam 2014-07-25 12:15:43 +10:00
parent fbbd4999b6
commit 6e9f5f5584
3 changed files with 37 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

9
lib/excerpt_parser.rb
View file

@ -23,8 +23,15 @@ class ExcerptParser < Nokogiri::XML::SAX::Document
me.excerpt
end
def escape_attribute(v)
v.gsub("&", "&amp;")
.gsub("\"", "&#34;")
.gsub("<", "&lt;")
.gsub(">", "&gt;")
end
def include_tag(name, attributes)
characters("<#{name} #{attributes.map{|k,v| "#{k}='#{v}'"}.join(' ')}>", false, false, false)
characters("<#{name} #{attributes.map{|k,v| "#{k}=\"#{escape_attribute(v)}\""}.join(' ')}>", false, false, false)
end
def start_element(name, attributes=[])