jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2273 from evazion/xss/post-source

Browse Source 
Fix XSS in source link on post show page.
This commit is contained in:
Albert Yi
2014-10-17 14:33:29 -07:00
parent 232742e2b6 a38e12f091
commit 6d68f1357e
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/helpers/posts_helper.rb
View File

@@ -18,18 +18,21 @@ module PostsHelper
end
def post_source_tag(post)
if post.source =~ %r!http://img\d+\.pixiv\.net/img/([^\/]+)/!
if post.source =~ %r!\Ahttp://img\d+\.pixiv\.net/img/([^\/]+)/!i
text = "pixiv/<wbr>#{wordbreakify($1)}".html_safe
source_link = link_to(text, post.normalized_source)
source_search = "source:pixiv/#{$1}/"
elsif post.source =~ %r!http://i\d\.pixiv\.net/img\d+/img/([^\/]+)/!
elsif post.source =~ %r!\Ahttp://i\d\.pixiv\.net/img\d+/img/([^\/]+)/!i
text = "pixiv/<wbr>#{wordbreakify($1)}".html_safe
source_link = link_to(text, post.normalized_source)
source_search = "source:pixiv/#{$1}/"
elsif post.source =~ %r{\Ahttps?://}
text = truncate(post.normalized_source.sub(/^https?:\/\/(?:www\.)?/, ""))
source_link = link_to(truncate(text, :length => 20), post.normalized_source)
elsif post.source =~ %r{\Ahttps?://}i
text = post.normalized_source.sub(/\Ahttps?:\/\/(?:www\.)?/i, "")
text = truncate(text, length: 20)
source_search = "source:#{post.source.sub(/[^\/]*$/, "")}"
end
# Only allow http:// and https:// links. Disallow javascript: links.
if post.normalized_source =~ %r!\Ahttps?://!i
source_link = link_to(text, post.normalized_source)
else
source_link = truncate(post.source, :length => 100)
end