From d9746a8461caf7212c41acd99d2f86f09a107f0c Mon Sep 17 00:00:00 2001
From: Steffen van Bergerem <svbergerem@online.de>
Date: Wed, 10 Aug 2016 17:19:58 +0200
Subject: [PATCH] Escape HTML in mentions box
---
app/assets/javascripts/app/views/publisher/mention_view.js | 2 +-
features/desktop/posts_from_main_page.feature | 6 ++++++
spec/javascripts/app/views/publisher_mention_view_spec.js | 7 +++++++
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/app/assets/javascripts/app/views/publisher/mention_view.js b/app/assets/javascripts/app/views/publisher/mention_view.js
index 2a1c655919..b8f6143f55 100644
--- a/app/assets/javascripts/app/views/publisher/mention_view.js
+++ b/app/assets/javascripts/app/views/publisher/mention_view.js
@@ -91,7 +91,7 @@ app.views.PublisherMention = app.views.SearchBase.extend({
*/
updateMessageTexts: function() {
var fakeMessageText = this.inputBox.val(),
- mentionBoxText = fakeMessageText,
+ mentionBoxText = _.escape(fakeMessageText),
messageText = fakeMessageText;
this.mentionedPeople.forEach(function(person) {
diff --git a/features/desktop/posts_from_main_page.feature b/features/desktop/posts_from_main_page.feature
index b81786b53a..1c51665dac 100644
--- a/features/desktop/posts_from_main_page.feature
+++ b/features/desktop/posts_from_main_page.feature
@@ -196,6 +196,12 @@ Feature: posting from the main page
And I select only "NotPostingThingsHere" aspect
Then I should not see "I am eating a yogurt" and "And cornflakes also"
+ Scenario: Write html in the publisher
+ When I expand the publisher
+ Then I should not see any alert after I write the status message "<script>alert();</script>"
+ When I submit the publisher
+ Then "<script>alert();</script>" should be post 1
+
# (NOTE) make this a jasmine spec
Scenario: reject deletion one of my posts
When I expand the publisher
diff --git a/spec/javascripts/app/views/publisher_mention_view_spec.js b/spec/javascripts/app/views/publisher_mention_view_spec.js
index a28a393e7e..436e5e674a 100644
--- a/spec/javascripts/app/views/publisher_mention_view_spec.js
+++ b/spec/javascripts/app/views/publisher_mention_view_spec.js
@@ -197,6 +197,13 @@ describe("app.views.PublisherMention", function() {
expect(this.view.mentionsBox.find(".mentions").html())
.toBe("@user1 Text before <strong><span>user1</span></strong>\ntext after");
});
+
+ it("properly escapes the user input", function() {
+ this.view.inputBox.val("<img src=\"/default.png\"> @user1 Text before \u200Buser1\ntext after");
+ this.view.updateMessageTexts();
+ expect(this.view.mentionsBox.find(".mentions").html())
+ .toBe("<img src=\"/default.png\"> @user1 Text before <strong><span>user1</span></strong>\ntext after");
+ });
});
describe("updateTypeaheadInput", function() {
--
GitLab