Permalink
Browse files

Fix CVE-2017-16792 - Stored XSS

Reject Javascript Link
  • Loading branch information...
sonots committed Nov 11, 2017
1 parent c173cb5 commit f8429a9e364658459add170e4ebc7a5d3b4759e7
Showing with 11 additions and 2 deletions.
  1. +9 −0 lib/geminabox/server.rb
  2. +1 −1 views/gem.erb
  3. +1 −1 views/index.erb
View
@@ -307,6 +307,15 @@ def combined_gem_list
end
helpers do
def href(text)
escaped_text = Rack::Utils.escape_html(text)
if escaped_text.start_with?('http://') || escaped_text.start_with?('https://')
escaped_text
else
'#'
end
end
def h(text)
Rack::Utils.escape_html(text)
end
View
@@ -27,7 +27,7 @@
<%= spec.description %>
<br/>
<span class="author">– <%= spec.authors.map do |author|
"<a href='#{h(spec.homepage)}'>#{author}</a>"
"<a href='#{href(spec.homepage)}'>#{author}</a>"
end.join(', ') %></span>
<% end %>
</p>
View
@@ -46,7 +46,7 @@
<%= spec.description %>
<br/>
<span class="author">– <%= spec.authors.map do |author|
"<a href='#{h(spec.homepage)}'>#{author}</a>"
"<a href='#{href(spec.homepage)}'>#{author}</a>"
end.join(', ') %></span>
<% end %>
</p>

0 comments on commit f8429a9

Please sign in to comment.