XSS Security Fix
There was a XSS vulnerability in the handling of categories. Now they are escaped.
This commit is contained in:
parent
6fd6be8fea
commit
5ff1b7f6da
2 changed files with 8 additions and 1 deletions
|
@ -16,7 +16,7 @@ class Category < Chunk::Abstract
|
|||
def initialize(match_data, content)
|
||||
super(match_data, content)
|
||||
@hidden = match_data[1]
|
||||
@list = match_data[2].split(',').map { |c| c.strip }
|
||||
@list = match_data[2].split(',').map { |c| html_escape(c.strip) }
|
||||
@unmask_text = ''
|
||||
if @hidden
|
||||
@unmask_text = ''
|
||||
|
|
|
@ -74,6 +74,13 @@ module Chunk
|
|||
@content.delete_chunk(self)
|
||||
end
|
||||
|
||||
def html_escape(string)
|
||||
string.gsub( /&/, "&" ).
|
||||
gsub( /</, "<" ).
|
||||
gsub( />/, ">" ).
|
||||
gsub( /"/, """ )
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue