SECURITY: Onebox templates' HTML injections.

The use of triple-curlies on Mustache templates opens the possibility for HTML injections.
2025-05-22 20:31:15 +08:00 · 2023-10-23 14:19:21 -03:00
parent 5f20748e40
commit d78357917c
4 changed files with 103 additions and 6 deletions
--- a/spec/lib/onebox/engine/github_issue_onebox_spec.rb
+++ b/spec/lib/onebox/engine/github_issue_onebox_spec.rb
@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+RSpec.describe Onebox::Engine::GithubIssueOnebox do
+  before do
+    @link = "https://github.com/discourse/discourse/issues/1"
+
+    stub_request(:get, "https://api.github.com/repos/discourse/discourse/issues/1").to_return(
+      status: 200,
+      body: onebox_response("github_issue_onebox"),
+    )
+  end
+
+  include_context "with engines"
+  it_behaves_like "an engine"
+
+  describe "#to_html" do
+    it "sanitizes the input and transform the emoji into an img tag" do
+      sanitized_label =
+        'Test <img src="/images/emoji/twitter/+1.png?v=12" title="+1" class="emoji" alt="+1" loading="lazy" width="20" height="20"> &lt;style&gt;body {display: none}&lt;/style&gt;'
+
+      expect(html).to include(sanitized_label)
+    end
+  end
+end