mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-03-11 02:12:21 -05:00
Escaping several fields to prevent XSS
issue #938 - escapes post's title field - escapes settings title, description, email - escapes user's name field - includes test for post title
This commit is contained in:
parent
d169bba3f8
commit
c9235ccb0b
4 changed files with 32 additions and 1 deletions
|
@ -51,7 +51,7 @@ Post = GhostBookshelf.Model.extend({
|
||||||
|
|
||||||
this.set('html', converter.makeHtml(this.get('markdown')));
|
this.set('html', converter.makeHtml(this.get('markdown')));
|
||||||
|
|
||||||
this.set('title', this.get('title').trim());
|
this.set('title', this.escape('title').trim());
|
||||||
|
|
||||||
if (this.hasChanged('status') && this.get('status') === 'published') {
|
if (this.hasChanged('status') && this.get('status') === 'published') {
|
||||||
if (!this.get('published_at')) {
|
if (!this.get('published_at')) {
|
||||||
|
|
|
@ -73,7 +73,19 @@ Settings = GhostBookshelf.Model.extend({
|
||||||
validation[validationName].apply(validation, validationOptions);
|
validation[validationName].apply(validation, validationOptions);
|
||||||
}, this);
|
}, this);
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
|
||||||
|
saving: function () {
|
||||||
|
|
||||||
|
// All blog setting keys that need their values to be escaped.
|
||||||
|
if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
|
||||||
|
this.set('value', this.escape('value'));
|
||||||
|
}
|
||||||
|
|
||||||
|
return GhostBookshelf.Model.prototype.saving.apply(this, arguments);
|
||||||
}
|
}
|
||||||
|
|
||||||
}, {
|
}, {
|
||||||
read: function (_key) {
|
read: function (_key) {
|
||||||
// Allow for just passing the key instead of attributes
|
// Allow for just passing the key instead of attributes
|
||||||
|
|
|
@ -55,6 +55,13 @@ User = GhostBookshelf.Model.extend({
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
|
saving: function () {
|
||||||
|
|
||||||
|
this.set('name', this.escape('name'));
|
||||||
|
|
||||||
|
return GhostBookshelf.Model.prototype.saving.apply(this, arguments);
|
||||||
|
},
|
||||||
|
|
||||||
posts: function () {
|
posts: function () {
|
||||||
return this.hasMany(Posts, 'created_by');
|
return this.hasMany(Posts, 'created_by');
|
||||||
},
|
},
|
||||||
|
|
|
@ -367,4 +367,16 @@ describe('Post Model', function () {
|
||||||
done();
|
done();
|
||||||
}).then(null, done);
|
}).then(null, done);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should escape the title', function (done) {
|
||||||
|
|
||||||
|
new PostModel().fetch().then(function(model) {
|
||||||
|
return model.set({'title': '<script>alert("hello world")</script>'}).save();
|
||||||
|
}).then(function(saved) {
|
||||||
|
saved.get('title').should.eql('<script>alert("hello world")</script>');
|
||||||
|
done();
|
||||||
|
}).otherwise(done);
|
||||||
|
|
||||||
|
});
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
Loading…
Add table
Reference in a new issue