Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-03-11 02:12:21 -05:00
Code Issues Activity

Escaping several fields to prevent XSS

Browse source 
issue #938
- escapes post's title field
- escapes settings title, description, email
- escapes user's name field
- includes test for post title
This commit is contained in:
Tim Griesser 2013-10-07 13:02:57 -04:00 committed by Hannah Wolfe
parent d169bba3f8
commit c9235ccb0b
4 changed files with 32 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/server/models/post.js
View file

@ -51,7 +51,7 @@ Post = GhostBookshelf.Model.extend({
this.set('html', converter.makeHtml(this.get('markdown'))); this.set('html', converter.makeHtml(this.get('markdown')));
this.set('title', this.get('title').trim()); this.set('title', this.escape('title').trim());
if (this.hasChanged('status') && this.get('status') === 'published') { if (this.hasChanged('status') && this.get('status') === 'published') {
if (!this.get('published_at')) { if (!this.get('published_at')) {

12
core/server/models/settings.js
View file

@ -73,7 +73,19 @@ Settings = GhostBookshelf.Model.extend({
validation[validationName].apply(validation, validationOptions); validation[validationName].apply(validation, validationOptions);
}, this); }, this);
} }
},
saving: function () {
// All blog setting keys that need their values to be escaped.
if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
this.set('value', this.escape('value'));
}
return GhostBookshelf.Model.prototype.saving.apply(this, arguments);
} }
}, { }, {
read: function (_key) { read: function (_key) {
// Allow for just passing the key instead of attributes // Allow for just passing the key instead of attributes

7
core/server/models/user.js
View file

@ -55,6 +55,13 @@ User = GhostBookshelf.Model.extend({
} }
}, },
saving: function () {
this.set('name', this.escape('name'));
return GhostBookshelf.Model.prototype.saving.apply(this, arguments);
},
posts: function () { posts: function () {
return this.hasMany(Posts, 'created_by'); return this.hasMany(Posts, 'created_by');
}, },

12
core/test/unit/api_posts_spec.js
View file

@ -367,4 +367,16 @@ describe('Post Model', function () {
done(); done();
}).then(null, done); }).then(null, done);
}); });
it('should escape the title', function (done) {
new PostModel().fetch().then(function(model) {
return model.set({'title': '<script>alert("hello world")</script>'}).save();
}).then(function(saved) {
saved.get('title').should.eql('&lt;script&gt;alert(&quot;hello world&quot;)&lt;&#x2F;script&gt;');
done();
}).otherwise(done);
});
}); });