Use text() instead of html()

Using html() makes it possible to insert <script> tags in the DOM, and in this case we aren't supposed to be inserting any HTML. I haven't found a way to focus on a field with Capybara, then add a character, and focus on another field. So I've manually triggered the change event in the test.
2019-10-18 22:00:27 +02:00
parent 31c2379a4e
commit d61e8cb6a6
3 changed files with 17 additions and 5 deletions
--- a/app/assets/javascripts/banners.js
+++ b/app/assets/javascripts/banners.js
@@ -4,12 +4,12 @@
    initialize: function() {
      $("[data-js-banner-title]").on({
        change: function() {
-          $("#js-banner-title").html($(this).val());
+          $("#js-banner-title").text($(this).val());
        }
      });
      $("[data-js-banner-description]").on({
        change: function() {
-          $("#js-banner-description").html($(this).val());
+          $("#js-banner-description").text($(this).val());
        }
      });
      $("[name='banner[background_color]']").on({
--- a/app/assets/javascripts/markdown_editor.js
+++ b/app/assets/javascripts/markdown_editor.js
@@ -33,10 +33,10 @@
          editor.toggleClass("fullscreen");
          $(".fullscreen-container").toggleClass("medium-8", "medium-12");
          span = $(this).find("span");
-          if (span.html() === span.data("open-text")) {
-            span.html(span.data("closed-text"));
+          if (span.text() === span.data("open-text")) {
+            span.text(span.data("closed-text"));
          } else {
-            span.html(span.data("open-text"));
+            span.text(span.data("open-text"));
          }
          if (editor.hasClass("fullscreen")) {
            App.MarkdownEditor.find_textarea(editor).height($(window).height() - 100);
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -13,6 +13,18 @@ describe "Cross-Site Scripting protection", :js do
    expect(page.text).not_to be_empty
  end

+  scenario "edit banner" do
+    banner = create(:banner, title: attack_code)
+
+    login_as(create(:administrator).user)
+    visit edit_admin_banner_path(banner)
+
+    title_id = find_field("Title")[:id]
+    execute_script "document.getElementById('#{title_id}').dispatchEvent(new Event('change'))"
+
+    expect(page.text).not_to be_empty
+  end
+
  scenario "document title" do
    process = create(:legislation_process)
    create(:document, documentable: process, title: attack_code)