015613a140
In commit f374478dd, we enabled the possibility to use HTML in the
search results translations in order to add a <strong> tag to these
results. However, that meant we were also allowing HTML tags inside the
search term itself, and so it was possible to inject HTML on the page.
Stripping the HTML tags solves the issue.
Note the issue wasn't a high severity issue because tags such as
`<script>` weren't allowed since we were using the `sanitize` helper.
37 lines
1.0 KiB
Ruby
37 lines
1.0 KiB
Ruby
require "rails_helper"
|
|
|
|
describe "HTML injection protection" do
|
|
let(:attack_code) { "<a href='/evil'>Click me</a>" }
|
|
|
|
scenario "debates search" do
|
|
visit debates_path(search: attack_code)
|
|
|
|
expect(page).to have_content "containing the term 'Click me'"
|
|
expect(page).not_to have_link "Click me"
|
|
end
|
|
|
|
scenario "investments search" do
|
|
visit budget_investments_path(budget_id: create(:budget), search: attack_code)
|
|
|
|
expect(page).to have_content "containing the term 'Click me'"
|
|
expect(page).not_to have_link "Click me"
|
|
end
|
|
|
|
scenario "proposals search" do
|
|
visit proposals_path(search: attack_code)
|
|
|
|
expect(page).to have_content "containing the term 'Click me'"
|
|
expect(page).not_to have_link "Click me"
|
|
end
|
|
|
|
scenario "proposals search in the management area" do
|
|
login_managed_user(create(:user, :level_two))
|
|
login_as_manager
|
|
|
|
visit management_proposals_path(search: attack_code)
|
|
|
|
expect(page).to have_content "containing the term 'Click me'"
|
|
expect(page).not_to have_link "Click me"
|
|
end
|
|
end
|