Escape URL parts on formatting local status (#4975) - mastofe - My custom branche(s) on git.pleroma.social/pleroma/mastofe

commit: ec36df97c4ea3da4bc177a96050c54cf8f35ba25
parent: c8969dca3581cb82c5787f37bb4022f7af74cd15
Author: unarist <m.unarist@gmail.com>
Date:   Sun, 17 Sep 2017 04:33:52 +0900

Escape URL parts on formatting local status (#4975)


Diffstat:
M app/lib/formatter.rb 2 +-
M spec/lib/formatter_spec.rb 16 ++++++++++++++++

2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
@@ -137,7 +137,7 @@ class Formatter
     suffix = url[prefix.length + 30..-1]
     cutoff = url[prefix.length..-1].length > 30
 
-    "<span class=\"invisible\">#{prefix}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{text}</span><span class=\"invisible\">#{suffix}</span>"
+    "<span class=\"invisible\">#{encode(prefix)}</span><span class=\"#{cutoff ? 'ellipsis' : ''}\">#{encode(text)}</span><span class=\"invisible\">#{encode(suffix)}</span>"
   end
 
   def hashtag_html(tag)
diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
@@ -121,6 +121,22 @@ RSpec.describe Formatter do
       end
     end
 
+    context 'contains unsafe URL (XSS attack, visible part)' do
+      let(:text) { %q{http://example.com/b<del>b</del>} }
+
+      it 'has escaped HTML' do
+        is_expected.to include '&lt;del&gt;b&lt;/del&gt;'
+      end
+    end
+
+    context 'contains unsafe URL (XSS attack, invisible part)' do
+      let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} }
+
+      it 'has escaped HTML' do
+        is_expected.to include '&lt;script&gt;alert(&quot;Hello&quot;)&lt;/script&gt;'
+      end
+    end
+
     context 'contains HTML (script tag)' do
       let(:text) { '<script>alert("Hello")</script>' }

M	app/lib/formatter.rb	2	+-
M	spec/lib/formatter_spec.rb	16	++++++++++++++++