Use Redcarpet Safe render to base OBS markdown render

openSUSE · May 13, 2020 · 113dc06 · 113dc06
1 parent 49201ad
commit 113dc06
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/api/lib/obsapi/markdown_renderer.rb b/src/api/lib/obsapi/markdown_renderer.rb
@@ -1,7 +1,7 @@
 require 'uri'
 
 module OBSApi
-  class MarkdownRenderer < Redcarpet::Render::HTML
+  class MarkdownRenderer < Redcarpet::Render::Safe
     include Rails.application.routes.url_helpers
 
     def self.default_url_options

diff --git a/src/api/spec/helpers/webui/markdown_helper_spec.rb b/src/api/spec/helpers/webui/markdown_helper_spec.rb
@@ -28,5 +28,13 @@
         "<p>anbox<a href='the number'>400000+22d000</a></p>\n"
       )
     end
+
+    it 'does remove dangerous html from the view' do
+      expect(render_as_markdown('<script></script>')).to eq('')
+    end
+
+    it 'does remove dangerous html from inside the links' do
+      expect(render_as_markdown('[<script></script>](https://build.opensuse.org)')).to eq("<p><a href='https://build.opensuse.org'></a></p>\n")
+    end
   end
 end