Merge pull request #1243 from cniedzwiedz/squash_test

Fixed XSS in markdown() method

app/helpers/application_helper.rb

@@ -295,7 +295,7 @@ module ApplicationHelper
       space_after_headers: true,
       no_intra_emphasis: true
     }
-    markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, options)
+    markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(escape_html: true), options)
     markdown.render(text).html_safe
   end
 

spec/factories/events.rb

@@ -35,4 +35,8 @@ FactoryGirl.define do
       end
     end
   end
+
+  factory :event_xss, parent: :event do
+    abstract { '<div id="divInjectedElement"></div>' }
+  end
 end

spec/factories/lodgings.rb

@@ -6,4 +6,8 @@ FactoryGirl.define do
     description { Faker::Lorem.paragraph }
     website_link { Faker::Internet.url }
   end
+
+  factory :lodging_xss, parent: :lodging do
+    description { '<div id="divInjectedElement"></div>' }
+  end
 end

spec/factories/users.rb

@@ -45,4 +45,9 @@ FactoryGirl.define do
       end
     end
   end
+
+  factory :user_xss, parent: :user do
+    biography '<div id="divInjectedElement"></div>'
+  end
+
 end

spec/views/admin/lodgings/index.html.haml_spec.rb

@@ -9,4 +9,14 @@ describe 'admin/lodgings/index' do
     render
     expect(rendered).to include(CGI.escapeHTML(@conference.lodgings.first.name))
   end
+
+  it 'prevents XSS in lodging description' do
+    @conference = create(:conference)
+    @conference.venue = create(:venue)
+    @conference.lodgings << create(:lodging_xss)
+    assign :venue, @conference.venue
+    render
+    expect(rendered).to_not have_selector('#divInjectedElement')
+  end
+
 end

spec/views/proposals/show.html.haml_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe 'proposals/show' do
+  let!(:conference) { create(:conference) }
+  let!(:event) { create(:event_xss, program: conference.program, title: 'event1', language: 'English') }
+  let(:organizer_role) { Role.find_by(name: 'organizer', resource: conference) }
+  let(:organizer) { create(:user, name: 'test name', email: 'test@email.osem', role_ids: [organizer_role.id]) }
+
+  it 'renders proposal information' do
+    sign_in organizer
+
+    assign :conference, conference
+    assign :event, event
+    assign :speaker, organizer
+
+    render template: 'proposals/show.html.haml'
+
+    expect(rendered).to_not have_selector('#divInjectedElement')
+  end
+end

spec/views/users/show.html.haml_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe 'users/show' do
+  let!(:conference) { create(:conference) }
+  let(:organizer_role) { Role.find_by(name: 'organizer', resource: conference) }
+  let(:organizer) { create(:user_xss, name: 'test name', email: 'test@email.osem', role_ids: [organizer_role.id]) }
+
+  it 'renders proposal information' do
+    sign_in organizer
+
+    assign :user, organizer
+
+    render template: 'users/show.html.haml'
+
+    expect(rendered).to_not have_selector('#divInjectedElement')
+  end
+end