From d2e177cac427fc73f74154761b8a0b3ebdb75ae5 Mon Sep 17 00:00:00 2001
From: Chris Niedzwiedz <cniedzwiedz@gmail.com>
Date: Mon, 9 Jan 2017 12:27:11 -0600
Subject: [PATCH] Testing if I can squash this way (#1)

* Fixed XSS resulting from markdown() method
---
 app/helpers/application_helper.rb             |  2 +-
 spec/factories/events.rb                      |  4 ++++
 spec/factories/lodgings.rb                    |  4 ++++
 spec/factories/users.rb                       |  5 +++++
 .../admin/lodgings/index.html.haml_spec.rb    | 10 ++++++++++
 spec/views/proposals/show.html.haml_spec.rb   | 20 +++++++++++++++++++
 spec/views/users/show.html.haml_spec.rb       | 17 ++++++++++++++++
 7 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 spec/views/proposals/show.html.haml_spec.rb
 create mode 100644 spec/views/users/show.html.haml_spec.rb

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 6dcbd422..eae107cf 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -260,7 +260,7 @@ module ApplicationHelper
       space_after_headers: true,
       no_intra_emphasis: true
     }
-    markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, options)
+    markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(escape_html: true), options)
     markdown.render(text).html_safe
   end
 
diff --git a/spec/factories/events.rb b/spec/factories/events.rb
index c306cdf9..06d791e2 100644
--- a/spec/factories/events.rb
+++ b/spec/factories/events.rb
@@ -35,4 +35,8 @@ FactoryGirl.define do
       end
     end
   end
+
+  factory :event_xss, parent: :event do
+    abstract { '<div id="divInjectedElement"></div>' }
+  end
 end
diff --git a/spec/factories/lodgings.rb b/spec/factories/lodgings.rb
index 636d9060..a4bbf73c 100644
--- a/spec/factories/lodgings.rb
+++ b/spec/factories/lodgings.rb
@@ -6,4 +6,8 @@ FactoryGirl.define do
     description { Faker::Lorem.paragraph }
     website_link { Faker::Internet.url }
   end
+
+  factory :lodging_xss, parent: :lodging do
+    description { '<div id="divInjectedElement"></div>' }
+  end
 end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
index c7ed7ca1..346ddb80 100644
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@@ -45,4 +45,9 @@ FactoryGirl.define do
       end
     end
   end
+
+  factory :user_xss, parent: :user do
+    biography '<div id="divInjectedElement"></div>'
+  end
+
 end
diff --git a/spec/views/admin/lodgings/index.html.haml_spec.rb b/spec/views/admin/lodgings/index.html.haml_spec.rb
index 95f16be4..c0cdf72e 100644
--- a/spec/views/admin/lodgings/index.html.haml_spec.rb
+++ b/spec/views/admin/lodgings/index.html.haml_spec.rb
@@ -9,4 +9,14 @@ describe 'admin/lodgings/index' do
     render
     expect(rendered).to include(CGI.escapeHTML(@conference.lodgings.first.name))
   end
+
+  it 'prevents XSS in lodging description' do
+    @conference = create(:conference)
+    @conference.venue = create(:venue)
+    @conference.lodgings << create(:lodging_xss)
+    assign :venue, @conference.venue
+    render
+    expect(rendered).to_not have_selector('#divInjectedElement')
+  end
+
 end
diff --git a/spec/views/proposals/show.html.haml_spec.rb b/spec/views/proposals/show.html.haml_spec.rb
new file mode 100644
index 00000000..3ff48b23
--- /dev/null
+++ b/spec/views/proposals/show.html.haml_spec.rb
@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe 'proposals/show' do
+  let!(:conference) { create(:conference) }
+  let!(:event) { create(:event_xss, program: conference.program, title: 'event1', language: 'English') }
+  let(:organizer_role) { Role.find_by(name: 'organizer', resource: conference) }
+  let(:organizer) { create(:user, name: 'test name', email: 'test@email.osem', role_ids: [organizer_role.id]) }
+
+  it 'renders proposal information' do
+    sign_in organizer
+
+    assign :conference, conference
+    assign :event, event
+    assign :speaker, organizer
+
+    render template: 'proposals/show.html.haml'
+
+    expect(rendered).to_not have_selector('#divInjectedElement')
+  end
+end
diff --git a/spec/views/users/show.html.haml_spec.rb b/spec/views/users/show.html.haml_spec.rb
new file mode 100644
index 00000000..55fa2550
--- /dev/null
+++ b/spec/views/users/show.html.haml_spec.rb
@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe 'users/show' do
+  let!(:conference) { create(:conference) }
+  let(:organizer_role) { Role.find_by(name: 'organizer', resource: conference) }
+  let(:organizer) { create(:user_xss, name: 'test name', email: 'test@email.osem', role_ids: [organizer_role.id]) }
+
+  it 'renders proposal information' do
+    sign_in organizer
+
+    assign :user, organizer
+
+    render template: 'users/show.html.haml'
+
+    expect(rendered).to_not have_selector('#divInjectedElement')
+  end
+end