File tree Expand file tree Collapse file tree 3 files changed +24
-3
lines changed
Expand file tree Collapse file tree 3 files changed +24
-3
lines changed Original file line number Diff line number Diff line change 66
77 <%= link_to leafable_path ( leaf ) , class : "toc__thumbnail" , data : { turbo_frame : "_top" } do %>
88 <%= leaf . section . body if leaf . section? %>
9- <%= leaf . leafable . body . to_html if leaf . page? %>
9+ <%= sanitize_content ( leaf . leafable . body . to_html ) if leaf . page? %>
1010 <%= image_tag leaf . leafable . image . variant ( :large ) if leaf . picture &.image &.attached? %>
1111 <% end %>
1212
Original file line number Diff line number Diff line change 5151 <% end %>
5252 </ header >
5353
54- <%= @edit . page . body . to_html %>
54+ <%= sanitize_content ( @edit . page . body . to_html ) %>
5555 <% end %>
5656 </ section >
5757
6262 <% end %>
6363 </ header >
6464
65- <%= @leaf . page . body . to_html %>
65+ <%= sanitize_content ( @leaf . page . body . to_html ) %>
6666 </ section >
6767</ div >
Original file line number Diff line number Diff line change @@ -23,4 +23,25 @@ class Pages::EditsControllerTest < ActionDispatch::IntegrationTest
2323 assert_response :success
2424 assert_select "p" , /such a great handbook/
2525 end
26+
27+ test "show sanitizes dangerous content in previous version" do
28+ leaf = books ( :handbook ) . press Page . new ( body : %(<img src=x onerror="alert(1)">) ) , title : "XSS Test"
29+ leaf . edit leafable_params : { body : "Clean content now" }
30+
31+ get page_edit_url ( leaf , leaf . edits . last )
32+
33+ assert_response :success
34+ assert_match '<img src="x">' , response . body
35+ assert_no_match ( /onerror/ , response . body )
36+ end
37+
38+ test "show sanitizes dangerous content in current version" do
39+ leaves ( :welcome_page ) . edit leafable_params : { body : %(<img src=x onerror="alert(1)">) }
40+
41+ get page_edit_url ( leaves ( :welcome_page ) , leaves ( :welcome_page ) . edits . last )
42+
43+ assert_response :success
44+ assert_match '<img src="x">' , response . body
45+ assert_no_match ( /onerror/ , response . body )
46+ end
2647end
You can’t perform that action at this time.
0 commit comments