From dde91a54dc1349340bb0fc10eada7d520a95f9c4 Mon Sep 17 00:00:00 2001 From: Arpit Jalan Date: Tue, 8 Mar 2016 20:08:23 +0530 Subject: [PATCH] SECURITY: strip HTML tags in topic title in email digest --- app/helpers/application_helper.rb | 3 ++- app/views/user_notifications/digest.html.erb | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 4cc6834c5c8..43acc6ddf5b 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -74,8 +74,9 @@ module ApplicationHelper end end - def unescape_emoji(title) + def format_topic_title(title) PrettyText.unescape_emoji(title) + strip_tags(title) end def with_format(format, &block) diff --git a/app/views/user_notifications/digest.html.erb b/app/views/user_notifications/digest.html.erb index 304250e12f7..9f4bfe4a900 100644 --- a/app/views/user_notifications/digest.html.erb +++ b/app/views/user_notifications/digest.html.erb @@ -20,7 +20,7 @@ <%- @featured_topics.each_with_index do |t, i| %>
- <%= raw unescape_emoji(t.title) %> + <%= raw format_topic_title(t.title) %>
<%= category_badge(t.category, inline_style: true, absolute_url: true) %>
@@ -43,7 +43,7 @@ <%- @new_topics.each do |t| %>