Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: Escape watched word in error message #14434

Merged
merged 1 commit into from Sep 24, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
SECURITY: Escape watched word in error message
  • Loading branch information
nbianca committed Sep 24, 2021
commit 40b776b9d39c41d9273d01eecf8fe03aa39fcb59
4 changes: 2 additions & 2 deletions lib/new_post_manager.rb
Expand Up @@ -201,10 +201,10 @@ def perform
result = NewPostResult.new(:created_post, false)
if matches.size == 1
key = 'contains_blocked_word'
translation_args = { word: matches[0] }
translation_args = { word: CGI.escapeHTML(matches[0]) }
else
key = 'contains_blocked_words'
translation_args = { words: matches.join(', ') }
translation_args = { words: CGI.escapeHTML(matches.join(', ')) }
end
result.errors.add(:base, I18n.t(key, translation_args))
return result
Expand Down
4 changes: 2 additions & 2 deletions lib/validators/watched_words_validator.rb
Expand Up @@ -5,10 +5,10 @@ def validate_each(record, attribute, value)
if matches = WordWatcher.new(value).should_block?.presence
if matches.size == 1
key = 'contains_blocked_word'
translation_args = { word: matches[0] }
translation_args = { word: CGI.escapeHTML(matches[0]) }
else
key = 'contains_blocked_words'
translation_args = { words: matches.join(', ') }
translation_args = { words: CGI.escapeHTML(matches.join(', ')) }
end
record.errors.add(:base, I18n.t(key, translation_args))
end
Expand Down
8 changes: 8 additions & 0 deletions spec/integration/watched_words_spec.rb
Expand Up @@ -32,6 +32,14 @@ def should_block_post(manager)
}.to_not change { Post.count }
end

it "escapes the blocked word in error message" do
block_word = Fabricate(:watched_word, action: WatchedWord.actions[:block], word: "<a>")
manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id)
result = manager.perform
expect(result).to_not be_success
expect(result.errors[:base]&.first).to eq(I18n.t('contains_blocked_word', word: "&lt;a&gt;"))
end

it "should prevent the post from being created" do
manager = NewPostManager.new(tl2_user, raw: "Want some #{block_word.word} for cheap?", topic_id: topic.id)
should_block_post(manager)
Expand Down