SECURITY: Remove XSS in composer preview when applying image scale buttons.

This commit is contained in:
Guo Xiang Tan
2019-04-08 11:20:28 +08:00
parent 13c6bf54d0
commit 33fa249fa5
2 changed files with 22 additions and 8 deletions

View File

@ -754,4 +754,20 @@ QUnit.test("Image resizing buttons", async assert => {
uploads[9] = "![identicalImage|300x300,75%](upload://identicalImage.png)";
await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]);
assertImageResized(assert, uploads);
await fillIn(
".d-editor-input",
`
![test|690x313](upload://test.png)
\`<script>alert("xss")</script>\`
`
);
await triggerEvent($(".d-editor-preview img"), "mouseover");
assert.ok(
find("script").length === 0,
"it does not unescapes script tags in code blocks"
);
});