From 13668dfc8b16cab58fd3b29bf521fd4abe4a7d2b Mon Sep 17 00:00:00 2001 From: Martin Edenhofer Date: Wed, 29 Sep 2021 10:13:40 +0200 Subject: [PATCH] Fixes #3365 - No script content (e. g. JavaScript) in emails --- config/initializers/html_sanitizer.rb | 2 +- spec/models/channel/email_parser_spec.rb | 2 +- .../concerns/has_xss_sanitized_note_examples.rb | 4 ++-- spec/models/ticket/article_spec.rb | 6 +++--- test/unit/html_sanitizer_test.rb | 14 +++++++------- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/config/initializers/html_sanitizer.rb b/config/initializers/html_sanitizer.rb index 8183f9a85..80ae25b52 100644 --- a/config/initializers/html_sanitizer.rb +++ b/config/initializers/html_sanitizer.rb @@ -5,11 +5,11 @@ Rails.application.config.html_sanitizer_tags_remove_content = %w[ style comment meta + script ] # content of this tags will will be inserted html quoted Rails.application.config.html_sanitizer_tags_quote_content = %w[ - script ] # only this tags are allowed diff --git a/spec/models/channel/email_parser_spec.rb b/spec/models/channel/email_parser_spec.rb index b553db6f3..9a30a3102 100644 --- a/spec/models/channel/email_parser_spec.rb +++ b/spec/models/channel/email_parser_spec.rb @@ -1258,7 +1258,7 @@ RSpec.describe Channel::EmailParser, type: :model do let(:content_type) { 'text/html' } it 'removes injected some text') } - it 'strips out + some other text RAW it 'removes '), '<b>123</b>') - assert_equal(HtmlSanitizer.strict(''), '<style><b>123</b></style>') + assert_equal(HtmlSanitizer.strict(''), '') + assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('123123'), '123123') assert_equal(HtmlSanitizer.strict('123123abc'), '123123abc') assert_equal(HtmlSanitizer.strict('123'), '123') - assert_equal(HtmlSanitizer.strict(''), 'alert("XSS!");') + assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') - assert_equal(HtmlSanitizer.strict('">'), 'alert("XSS")">') + assert_equal(HtmlSanitizer.strict('">'), '">') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') @@ -27,13 +27,13 @@ class HtmlSanitizerTest < ActiveSupport::TestCase assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict(''), '') - assert_equal(HtmlSanitizer.strict('<'), '<alert("XSS");//<') + assert_equal(HtmlSanitizer.strict('<'), '<') assert_equal(HtmlSanitizer.strict(''), 'alert(\'XSS\');') + assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('