SECURITY: Prefer Loofah for processing cooked HTML

2025-05-25 09:57:25 +08:00 · 2021-02-24 17:14:43 +02:00
parent daf34ae7e2
commit 0c8d658ba8
2 changed files with 9 additions and 1 deletions
--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@ -1809,4 +1809,12 @@ describe CookedPostProcessor do
    end
  end

+  context "#html" do
+    it "escapes attributes" do
+      post = Fabricate(:post, raw: '<img alt="<something>">')
+      expect(post.cook(post.raw)).to eq('<p><img alt="&lt;something&gt;"></p>')
+      expect(CookedPostProcessor.new(post).html).to eq('<p><img alt="&lt;something&gt;"></p>')
+    end
+  end
+
 end