From 6e9bb84d125960fe2d76a2d52b4e431f6fa0d007 Mon Sep 17 00:00:00 2001 From: David Taylor Date: Mon, 13 Dec 2021 10:50:09 +0000 Subject: [PATCH] FIX: Ensure theme names are escaped in HTML attributes (#15272) If a theme name contained a double-quote, this problem could lead to invalid/unexpected HTML in the `` Note that this is not considered a security issue because themes can only be installed/named by administrators, and themes/administrators already have the ability to run arbitrary javascript. --- lib/stylesheet/manager.rb | 2 +- spec/components/stylesheet/manager_spec.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/stylesheet/manager.rb b/lib/stylesheet/manager.rb index 7283e777700..a9b9c631b1f 100644 --- a/lib/stylesheet/manager.rb +++ b/lib/stylesheet/manager.rb @@ -195,7 +195,7 @@ class Stylesheet::Manager theme_id = stylesheet[:theme_id] data_theme_id = theme_id ? "data-theme-id=\"#{theme_id}\"" : "" theme_name = stylesheet[:theme_name] - data_theme_name = theme_name ? "data-theme-name=\"#{theme_name}\"" : "" + data_theme_name = theme_name ? "data-theme-name=\"#{CGI.escapeHTML(theme_name)}\"" : "" %[] end.join("\n").html_safe end diff --git a/spec/components/stylesheet/manager_spec.rb b/spec/components/stylesheet/manager_spec.rb index 219036ee07d..0c24ec8d539 100644 --- a/spec/components/stylesheet/manager_spec.rb +++ b/spec/components/stylesheet/manager_spec.rb @@ -135,6 +135,20 @@ describe Stylesheet::Manager do ) end + it "includes the escaped theme name" do + manager = manager(theme.id) + + theme.update(name: "a strange name\"with a quote in it") + + tag = manager.stylesheet_link_tag(:desktop_theme) + expect(tag).to have_tag("link", with: { + "data-theme-name" => theme.name.downcase + }) + expect(tag).to have_tag("link", with: { + "data-theme-name" => child_theme.name.downcase + }) + end + context "stylesheet order" do let(:z_child_theme) do Fabricate(:theme, component: true, name: "ze component").tap do |z|