SECURITY: fix XSS

2025-05-21 18:12:32 +08:00 · 2014-06-16 10:24:54 +10:00
parent 258c353307
commit d65efe7304
2 changed files with 12 additions and 0 deletions
--- a/spec/components/discourse_diff_spec.rb
+++ b/spec/components/discourse_diff_spec.rb
@ -5,6 +5,17 @@ describe DiscourseDiff do

  describe "inline_html" do

+    it "doest not lead to XSS" do
+      a = "<test>start</test>"
+      b = "<test>end</test>"
+      prev = "<div>#{CGI::escapeHTML(a)}</div>"
+      cur = "<div>#{CGI::escapeHTML(b)}</div>"
+
+      diff = DiscourseDiff.new(prev,cur)
+      diff.inline_html.should_not =~ /<\/?test>/
+      diff.side_by_side_html.should_not =~ /<\/?test>/
+    end
+
    it "returns an empty div when no content is diffed" do
      DiscourseDiff.new("", "").inline_html.should == "<div class=\"inline-diff\"></div>"
    end