aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetteri Räty <betelgeuse@gentoo.org>2011-08-02 23:32:04 +0300
committerPetteri Räty <betelgeuse@gentoo.org>2011-08-02 23:32:24 +0300
commitcf450f1e4f5f2317e64291487bfccd89a2b243bf (patch)
tree6f5c27d827a49d61e8158ba3dd48f438cc10ad66
parentDon't show wrong unanswered questions count (diff)
downloadrecruiting-webapp-master.tar.gz
recruiting-webapp-master.tar.bz2
recruiting-webapp-master.zip
Fix two XSS injectionsHEADmaster
The EmailAddress problem was submitted upstream to hobo.
-rw-r--r--app/views/taglibs/views.dryml2
-rw-r--r--config/initializers/email_address.rb9
-rw-r--r--spec/models/user_spec.rb5
3 files changed, 15 insertions, 1 deletions
diff --git a/app/views/taglibs/views.dryml b/app/views/taglibs/views.dryml
index c4bcd89..c5be181 100644
--- a/app/views/taglibs/views.dryml
+++ b/app/views/taglibs/views.dryml
@@ -10,7 +10,7 @@
<%= this.content.to_html %>
<ul>
<repeat:options>
- <li><%=this.content%></li>
+ <li><%= h this.content%></li>
</repeat>
</ul>
</def>
diff --git a/config/initializers/email_address.rb b/config/initializers/email_address.rb
new file mode 100644
index 0000000..02e48cb
--- /dev/null
+++ b/config/initializers/email_address.rb
@@ -0,0 +1,9 @@
+require 'hobo_fields/email_address'
+
+class HoboFields::EmailAddress
+ def to_html_with_escape(xmldoctype = true)
+ ERB::Util.h to_html_without_escape xmldoctype
+ end
+
+ alias_method_chain :to_html, :escape
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index e6724d8..7552a1e 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -8,6 +8,11 @@ describe User do
new_user.role.should == :recruit
end
+ it "should escape emails" do
+ u = User.new :email_address => "<script>alert('foo')<script>@foo.com"
+ u.email_address.to_html.should == "&lt;script&gt;alert('foo')&lt;script&gt; at foo dot com"
+ end
+
it { should allow_value(:mentor).for(:role) }
it { should allow_value(:recruiter).for(:role) }