Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Fix allowed font names (#41)
Limit the allowed names for fonts and added some tests.
  • Loading branch information
oblakeerickson committed Nov 30, 2022
1 parent 7b95c3c commit 91478f5
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
2 changes: 1 addition & 1 deletion assets/javascripts/lib/discourse-markdown/bbcode.js
Expand Up @@ -202,7 +202,7 @@ export function setup(helper) {
helper.allowList({
custom(tag, name, value) {
if (tag === "span" && name === "style") {
return /^(font-size:(xx-small|x-small|small|medium|large|x-large|xx-large|[0-9]{1,3}%)|background-color:#?[a-zA-Z0-9]+|color:#?[a-zA-Z0-9]+|font-family:[\s\S]+)$/.exec(
return /^(font-size:(xx-small|x-small|small|medium|large|x-large|xx-large|[0-9]{1,3}%)|background-color:#?[a-zA-Z0-9]+|color:#?[a-zA-Z0-9]+|font-family:'[a-zA-Z0-9\s-]+')$/.exec(
value
);
}
Expand Down
21 changes: 21 additions & 0 deletions spec/pretty_text_spec.rb
Expand Up @@ -25,6 +25,27 @@
expect(cooked).to eq(html)
end

it 'can apply font bbcode with hyphen' do
cooked = PrettyText.cook "hello [font=sans-serif]sans-serif[/font] text"
html = '<p>hello <span style="font-family:\'sans-serif\'">sans-serif</span> text</p>'

expect(cooked).to eq(html)
end

it 'can apply font bbcode with space' do
cooked = PrettyText.cook "hello [font=Times New Roman]Times New Roman[/font] text"
html = '<p>hello <span style="font-family:\'Times New Roman\'">Times New Roman</span> text</p>'

expect(cooked).to eq(html)
end

it 'only uses fonts with valid text' do
cooked = PrettyText.cook "hello [font=ui-monospace';]usa[/font] text"
html = '<p>hello <span>usa</span> text</p>'

expect(cooked).to eq(html)
end

it 'can apply small bbcode' do
cooked = PrettyText.cook "hello [small]usa[/small] text"
html = '<p>hello <span style="font-size:x-small">usa</span> text</p>'
Expand Down

0 comments on commit 91478f5

Please sign in to comment.