🎨 escape sameAs for structured data (#7833)

closes #7832 - escape output for json-ld
TryGhost · Jan 10, 2017 · 8031102 · 8031102
1 parent 7cd13e6
commit 8031102
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/core/server/data/meta/schema.js b/core/server/data/meta/schema.js
@@ -41,7 +41,7 @@ function trimSameAs(data, context) {
 
     if (context === 'post') {
         if (data.post.author.website) {
-            sameAs.push(data.post.author.website);
+            sameAs.push(escapeExpression(data.post.author.website));
         }
         if (data.post.author.facebook) {
             sameAs.push(socialUrls.facebookUrl(data.post.author.facebook));
@@ -51,7 +51,7 @@ function trimSameAs(data, context) {
         }
     } else if (context === 'author') {
         if (data.author.website) {
-            sameAs.push(data.author.website);
+            sameAs.push(escapeExpression(data.author.website));
         }
         if (data.author.facebook) {
             sameAs.push(socialUrls.facebookUrl(data.author.facebook));

diff --git a/core/test/unit/metadata/schema_spec.js b/core/test/unit/metadata/schema_spec.js
@@ -437,7 +437,7 @@ describe('getSchema', function () {
             context: ['author'],
             author: {
                 name: 'Author Name',
-                website: 'http://myblogsite.com/',
+                website: 'http://myblogsite.com/?user=bambedibu&a=<script>alert("bambedibu")</script>',
                 twitter: '@testuser'
             }
         }, schema = getSchema(metadata, data);
@@ -452,7 +452,7 @@ describe('getSchema', function () {
             },
             name: 'Author Name',
             sameAs: [
-                'http://myblogsite.com/',
+                'http://myblogsite.com/?user&#x3D;bambedibu&amp;a&#x3D;&lt;script&gt;alert(&quot;bambedibu&quot;)&lt;/script&gt;',
                 'https://twitter.com/testuser'
             ],
             url: 'http://mysite.com/author/me/'