مراية لـ
https://github.com/postalserver/postal.git
تم المزامنة 2026-05-31 04:35:42 +00:00
9243524035
The endpoint and domain option helpers interpolated model attributes straight into an HTML string before marking the whole buffer html_safe. Wrap the interpolations in h() so untrusted attributes can't break out of the surrounding tag. Also stop the helpers glob in rails_helper from eagerly requiring _spec.rb files so helper specs can live under spec/helpers/, and add a small application helper spec covering the escape behaviour.
38 أسطر
1.2 KiB
Ruby
38 أسطر
1.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "rails_helper"
|
|
|
|
RSpec.describe ApplicationHelper, type: :helper do
|
|
describe "#endpoint_options_for_select" do
|
|
let(:server) { create(:server) }
|
|
|
|
context "when an endpoint has HTML characters in its description" do
|
|
let(:payload) { %q(x'"><script>alert(1)</script>) }
|
|
|
|
before do
|
|
create(:http_endpoint, server: server, name: payload)
|
|
end
|
|
|
|
it "HTML-escapes the endpoint description in the option text" do
|
|
html = helper.endpoint_options_for_select(server)
|
|
|
|
# The raw payload must not appear verbatim — if it does, the browser
|
|
# will execute the <script> tag.
|
|
expect(html).not_to include("<script>alert(1)</script>")
|
|
|
|
# Escaped form should appear instead.
|
|
expect(html).to include("<script>alert(1)</script>")
|
|
end
|
|
|
|
it "does not allow the payload to break out of the option tag" do
|
|
html = helper.endpoint_options_for_select(server)
|
|
|
|
# The ' and > characters in the payload must be escaped so they
|
|
# cannot close the opening <option value='...'> or terminate the
|
|
# element early.
|
|
expect(html).not_to match(/<option[^>]*>[^<]*<script/)
|
|
end
|
|
end
|
|
end
|
|
end
|