github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 20:41:24 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions

Browse Source
This commit is contained in:
Robin Ward
2016-07-28 11:36:48 -04:00
parent 85a91c8b81
commit 2f8ab8cd30
5 changed files with 1694 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
spec/controllers/session_controller_spec.rb
View File

@ -407,10 +407,16 @@ describe SessionController do
describe 'suspended user' do
it 'should return an error' do
User.any_instance.stubs(:suspended?).returns(true)
User.any_instance.stubs(:suspended_till).returns(2.days.from_now)
user.suspended_till = 2.days.from_now
user.suspended_at = Time.now
user.save!
StaffActionLogger.new(user).log_user_suspend(user, "<strike>banned</strike>")
xhr :post, :create, login: user.username, password: 'myawesomepassword'
expect(::JSON.parse(response.body)['error']).to be_present
error = ::JSON.parse(response.body)['error']
expect(error).to be_present
expect(error).to match(/banned/)
expect(error).not_to match(/<strike>/)
end
end