[ARVADOS] created: 1.1.4-788-ga9a202895
Git user
git at public.curoverse.com
Tue Aug 14 13:34:48 EDT 2018
at a9a202895a63f29e8bc045c50f5518800b008275 (commit)
commit a9a202895a63f29e8bc045c50f5518800b008275
Author: Lucas Di Pentima <ldipentima at veritasgenetics.com>
Date: Tue Aug 14 14:01:36 2018 -0300
14028: Sanitize RedCloth's output.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima at veritasgenetics.com>
diff --git a/apps/workbench/app/helpers/application_helper.rb b/apps/workbench/app/helpers/application_helper.rb
index 106716a0f..cba0c6269 100644
--- a/apps/workbench/app/helpers/application_helper.rb
+++ b/apps/workbench/app/helpers/application_helper.rb
@@ -16,7 +16,7 @@ module ApplicationHelper
end
def render_markup(markup)
- raw RedCloth.new(markup.to_s).to_html(:refs_arvados, :textile) if markup
+ sanitize(raw(RedCloth.new(markup.to_s).to_html(:refs_arvados, :textile))) if markup
end
def human_readable_bytes_html(n)
commit d06843b42863fb2db47d11f18ce60b80cc5a8c55
Author: Lucas Di Pentima <ldipentima at veritasgenetics.com>
Date: Tue Aug 14 14:32:47 2018 -0300
14028: Add test exposing the bug
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima at veritasgenetics.com>
diff --git a/apps/workbench/test/controllers/projects_controller_test.rb b/apps/workbench/test/controllers/projects_controller_test.rb
index ada0e33e7..c35d83ffc 100644
--- a/apps/workbench/test/controllers/projects_controller_test.rb
+++ b/apps/workbench/test/controllers/projects_controller_test.rb
@@ -341,6 +341,16 @@ class ProjectsControllerTest < ActionController::TestCase
assert_includes @response.body, 'Textile description with link to home page <a href="/">take me home</a>.'
end
+ test "find a project and edit description to unsafe html description" do
+ project = api_fixture('groups')['aproject']
+ use_token :active
+ found = Group.find(project['uuid'])
+ found.description = 'Textile description with unsafe script tag <script language="javascript">alert("Hello there")</script>.'
+ found.save!
+ get(:show, {id: project['uuid']}, session_for(:active))
+ assert_includes @response.body, 'Textile description with unsafe script tag alert("Hello there").'
+ end
+
test "find a project and edit description to textile description with link to object" do
project = api_fixture('groups')['aproject']
use_token :active
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list