github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 04:31:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: sanitizer allowing invalid attributes

Browse Source
This commit is contained in:
Sam
2014-07-17 15:40:19 +10:00
parent 5ad3396a7a
commit c12a131fb4
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
spec/components/pretty_text_spec.rb
View File

@ -76,6 +76,7 @@ describe PrettyText do
describe "Excerpt" do
context "images" do
it "should dump images" do
PrettyText.excerpt("<img src='http://cnn.com/a.gif'>",100).should == "[image]"
end
@ -286,6 +287,10 @@ describe PrettyText do
it "allows bold chinese" do
PrettyText.cook("**你hello**").should match_html "<p><strong>你hello</strong></p>"
end
it "sanitizes attempts to inject invalid attributes" do
PrettyText.cook("<a href=\"http://thedailywtf.com/\" data-bbcode=\"' class='fa fa-spin\">WTF</a>").should == "<p><a href=\"http://thedailywtf.com/\" rel=\"nofollow\">WTF</a></p>"
end
end
end