github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-25 00:32:52 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: escape title HTML for inline onebox

Browse Source
This commit is contained in:
Sam
2019-01-10 12:02:05 +11:00
parent c85b9c6ed3
commit 35b59cfa78
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
spec/components/cooked_post_processor_spec.rb
View File

@ -185,7 +185,8 @@ describe CookedPostProcessor do
]
end
let(:title) { 'some title' }
let(:title) { '<b>some title</b>' }
let(:escaped_title) { CGI.escapeHTML(title) }
let(:post) do
Fabricate(:post, raw: <<~RAW)
@ -203,7 +204,7 @@ describe CookedPostProcessor do
urls.each do |url|
stub_request(:get, url).to_return(
status: 200,
body: "<html><head><title>#{title}</title></head></html>"
body: "<html><head><title>#{escaped_title}</title></head></html>"
)
end
end