oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-08-16 18:01:37 +00:00
Code Wiki Activity

addImageTitle: Fix HTML injection

Browse source 
This rewrite rule would change this:

    <img title="<foo>">

to this:

    <figure><img><figcaption><foo></figcaption></figure>

The image title needs to be properly escaped.
This commit is contained in:
Peter De Wachter 2019-08-14 09:33:54 +02:00 committed by Frédéric Guillot
parent 3a39d110f0
commit ea2b6e3608
2 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
reader/rewrite/rewriter_test.go
View file

@ -61,6 +61,15 @@ func TestRewriteWithXkcdLink(t *testing.T) {
}
}
func TestRewriteWithXkcdLinkHtmlInjection(t *testing.T) {
description := `<img src="https://imgs.xkcd.com/comics/thermostat.png" title="<foo>" alt="<foo>" />`
output := Rewriter("https://xkcd.com/1912/", description, ``)
expected := `<figure><img src="https://imgs.xkcd.com/comics/thermostat.png" alt="&lt;foo&gt;"/><figcaption><p>&lt;foo&gt;</p></figcaption></figure>`
if expected != output {
t.Errorf(`Not expected output: got "%s" instead of "%s"`, output, expected)
}
}
func TestRewriteWithXkcdLinkAndImageNoTitle(t *testing.T) {
description := `<img src="https://imgs.xkcd.com/comics/thermostat.png" alt="Your problem is so terrible, I worry that, if I help you, I risk drawing the attention of whatever god of technology inflicted it on you." />`
output := Rewriter("https://xkcd.com/1912/", description, ``)