Skip to content

Commit 83c71ce

Browse files
monorkinmonorkin
authored
Merge pull request #2228 from basecamp/fix-html-injection-in-webhook-event-descriptions-through-card-titles
Fix HTML injection in webhooks through card titles
2 parents 641e67d + 0df667f commit 83c71ce

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

app/models/event/description.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ def to_html
1414
end
1515

1616
def to_plain_text
17-
to_sentence(creator_name, card.title)
17+
to_sentence(creator_name, h(card.title))
1818
end
1919

2020
private

test/models/event/description_test.rb

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,4 +32,14 @@ class Event::DescriptionTest < ActiveSupport::TestCase
3232

3333
assert_includes description.to_plain_text, "David added"
3434
end
35+
36+
test "escapes html in card titles in plain text description" do
37+
card = cards(:logo)
38+
card.update_column(:title, "<script>alert('xss')</script>")
39+
40+
description = events(:logo_published).description_for(users(:david))
41+
42+
assert_includes description.to_plain_text, "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;"
43+
assert_not_includes description.to_plain_text, "<script>"
44+
end
3545
end

0 commit comments

Comments
 (0)