1 |
commit: cf450f1e4f5f2317e64291487bfccd89a2b243bf |
2 |
Author: Petteri Räty <betelgeuse <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Aug 2 20:32:04 2011 +0000 |
4 |
Commit: Petteri Räty <betelgeuse <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Aug 2 20:32:24 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/recruiting-webapp.git;a=commit;h=cf450f1e |
7 |
|
8 |
Fix two XSS injections |
9 |
|
10 |
The EmailAddress problem was submitted upstream to hobo. |
11 |
|
12 |
--- |
13 |
app/views/taglibs/views.dryml | 2 +- |
14 |
config/initializers/email_address.rb | 9 +++++++++ |
15 |
spec/models/user_spec.rb | 5 +++++ |
16 |
3 files changed, 15 insertions(+), 1 deletions(-) |
17 |
|
18 |
diff --git a/app/views/taglibs/views.dryml b/app/views/taglibs/views.dryml |
19 |
index c4bcd89..c5be181 100644 |
20 |
--- a/app/views/taglibs/views.dryml |
21 |
+++ b/app/views/taglibs/views.dryml |
22 |
@@ -10,7 +10,7 @@ |
23 |
<%= this.content.to_html %> |
24 |
<ul> |
25 |
<repeat:options> |
26 |
- <li><%=this.content%></li> |
27 |
+ <li><%= h this.content%></li> |
28 |
</repeat> |
29 |
</ul> |
30 |
</def> |
31 |
|
32 |
diff --git a/config/initializers/email_address.rb b/config/initializers/email_address.rb |
33 |
new file mode 100644 |
34 |
index 0000000..02e48cb |
35 |
--- /dev/null |
36 |
+++ b/config/initializers/email_address.rb |
37 |
@@ -0,0 +1,9 @@ |
38 |
+require 'hobo_fields/email_address' |
39 |
+ |
40 |
+class HoboFields::EmailAddress |
41 |
+ def to_html_with_escape(xmldoctype = true) |
42 |
+ ERB::Util.h to_html_without_escape xmldoctype |
43 |
+ end |
44 |
+ |
45 |
+ alias_method_chain :to_html, :escape |
46 |
+end |
47 |
|
48 |
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb |
49 |
index e6724d8..7552a1e 100644 |
50 |
--- a/spec/models/user_spec.rb |
51 |
+++ b/spec/models/user_spec.rb |
52 |
@@ -8,6 +8,11 @@ describe User do |
53 |
new_user.role.should == :recruit |
54 |
end |
55 |
|
56 |
+ it "should escape emails" do |
57 |
+ u = User.new :email_address => "<script>alert('foo')<script>@foo.com" |
58 |
+ u.email_address.to_html.should == "<script>alert('foo')<script> at foo dot com" |
59 |
+ end |
60 |
+ |
61 |
it { should allow_value(:mentor).for(:role) } |
62 |
it { should allow_value(:recruiter).for(:role) } |