Merge pull request #810 from bryszard/chore/sanitize-on-actors

Use Sanitize on actor_names
flippercloud · Jan 8, 2024 · aee29ac · aee29ac
2 parents b27ba80 + b6dd51f
commit aee29ac
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 5 deletions.
diff --git a/examples/ui/basic.ru b/examples/ui/basic.ru
@@ -42,8 +42,8 @@ Flipper::UI.configure do |config|
 
   config.actor_names_source = lambda do |_keys|
     {
-      '1' => 'John',
-      '6' => 'Brandon',
+      '1' => '<a href="https://johnnunemaker.com">John</a>',
+      '6' => '<a href="https://opensoul.org">Brandon</a>',
     }
   end
 end

diff --git a/lib/flipper/ui/views/feature.erb b/lib/flipper/ui/views/feature.erb
@@ -66,7 +66,7 @@
               <div class="col col-mr-auto pl-md-5">
                 <h6 class="m-0">
                   <% if Flipper::UI::Util.present?(@feature.actor_names[item]) %>
-                    <%= "#{@feature.actor_names[item]} (#{item})" %>
+                    <%== Sanitize.fragment("#{@feature.actor_names[item]} (#{item})", Sanitize::Config::BASIC) %>
                   <% else %>
                     <%= item %>
                   <% end %>

diff --git a/spec/flipper/ui/actions/feature_spec.rb b/spec/flipper/ui/actions/feature_spec.rb
@@ -138,14 +138,35 @@
             }
           }
         end
-
-        get '/features/search'
       end
 
       it 'renders template with custom actor names' do
+        get '/features/search'
         expect(last_response.body).to include('Some Actor Name (some_actor_name)')
         expect(last_response.body).not_to include('Some Other Actor Name')
       end
+
+      it 'allows basic html' do
+        Flipper::UI.configure do |config|
+          config.actor_names_source = lambda { |_keys|
+            { "some_actor_name" => '<a href="/users/some_actor_name">Some Actor Name</a>', }
+          }
+        end
+
+        get '/features/search'
+        expect(last_response.body).to include('<a href="/users/some_actor_name" rel="nofollow">Some Actor Name</a>')
+      end
+
+      it 'sanitizes dangerous markup' do
+        Flipper::UI.configure do |config|
+          config.actor_names_source = lambda { |_keys|
+            { "some_actor_name" => '<a href="javascript:alert(\'hello\')">Some Actor Name</a>', }
+          }
+        end
+
+        get '/features/search'
+        expect(last_response.body).not_to include('javascript:alert')
+      end
     end
   end