github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-24 03:36:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: prevent self-xss in poll attributes

Browse Source
This commit is contained in:
Régis Hanol
2015-05-11 20:09:17 +02:00
parent d337da532a
commit 3a9907f392
3 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/poll/spec/controllers/posts_controller_spec.rb
View File

@ -49,6 +49,14 @@ describe PostsController do
expect(json["errors"][0]).to eq(I18n.t("poll.default_poll_must_have_less_options", max: SiteSetting.poll_maximum_options))
end
it "prevents self-xss" do
xhr :post, :create, { title: title, raw: "[poll name=<script>alert('xss')</script>]\n- A\n- B\n[/poll]" }
expect(response).to be_success
json = ::JSON.parse(response.body)
expect(json["cooked"]).to match("data-poll-")
expect(json["polls"]["&lt;script&gt;alert(xss)&lt;/script&gt;"]).to be
end
describe "edit window" do
describe "within the first 5 minutes" do