Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2024-11-09 17:02:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

Escape message for notifications

Browse source
This commit is contained in:
Philipp 2023-05-14 20:31:20 +02:00
parent d272cecd55
commit e998c059b6
No known key found for this signature in database
GPG key ID: 24A7501396EB5432
2 changed files with 29 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/Navigation/Notifications/Entity/Notify.php
View file

@ -134,6 +134,6 @@ class Notify extends BaseEntity
*/
public static function formatMessage(string $name, string $message): string
{
return str_replace('{0}', '<span class="contactname">' . strip_tags(BBCode::convert($name)) . '</span>', $message);
return str_replace('{0}', '<span class="contactname">' . strip_tags(BBCode::convert($name)) . '</span>', htmlspecialchars($message));
}
}

28
tests/src/Navigation/Notifications/Entity/NotifyTest.php Normal file
View file

@ -0,0 +1,28 @@
<?php
namespace Friendica\Test\src\Navigation\Notifications\Entity;
use Friendica\Navigation\Notifications\Entity\Notify;
use Friendica\Test\FixtureTest;
class NotifyTest extends FixtureTest
{
public function dataFormatNotify(): array
{
return [
'xss-notify' => [
'name' => 'Whiskers',
'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>',
'assertion' => '<span class="contactname">Whiskers</span> commented in the thread &quot;If my username causes a pop up in a piece of software, that softwar…&quot; from &lt;script&gt;alert(&quot;Tek&quot;);&lt;/script&gt;',
],
];
}
/**
* @dataProvider dataFormatNotify
*/
public function testFormatNotify(string $name, string $message, string $assertion)
{
self::assertEquals($assertion, Notify::formatMessage($name, $message));
}
}