Always escape error messages

Before, if your error message contained HTML tags, they were marked as safe. Some error messages may contain user input so this would lead a XSS vulnerability. Error messages are now always escaped. If users need to mark them as safe they will need to use the explicit `:error` option: f.input :name, error: raw('My <b>error</b>')
2014-11-20 15:22:59 -02:00 · 2014-11-20 15:22:59 -02:00 · 7d0ba39309
parent 106e775150
commit 7d0ba39309
2 changed files with 53 additions and 4 deletions
--- a/lib/simple_form/components/errors.rb
+++ b/lib/simple_form/components/errors.rb
@ -18,13 +18,11 @@ module SimpleForm
      def error_text
        text = has_custom_error? ? options[:error] : errors.send(error_method)

-        "#{html_escape(options[:error_prefix])} #{text}".lstrip.html_safe
+        "#{html_escape(options[:error_prefix])} #{html_escape(text)}".lstrip.html_safe
      end

      def full_error_text
-        text = has_custom_error? ? options[:error] : full_errors.send(error_method)
-
-        text.html_safe
+        has_custom_error? ? options[:error] : full_errors.send(error_method)
      end

      def error_method
--- a/test/form_builder/error_test.rb
+++ b/test/form_builder/error_test.rb
@ -85,6 +85,16 @@ class ErrorTest < ActionView::TestCase
    assert_no_select 'span.error b'
  end

+  test 'error escapes error text' do
+    @user.errors.add(:action, 'must not contain <b>markup</b>')
+
+    with_error_for @user, :action
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
+
  test 'error generates an error message with raw HTML tags' do
    with_error_for @user, :name, error_prefix: '<b>Name</b>'.html_safe
    assert_select 'span.error', "Name can't be blank"
@ -115,6 +125,15 @@ class ErrorTest < ActionView::TestCase
    assert_equal({ id: 'name_error' }, options)
  end

+  test 'full error escapes error text' do
+    @user.errors.add(:action, 'must not contain <b>markup</b>')
+
+    with_full_error_for @user, :action
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
  # CUSTOM WRAPPERS

  test 'error with custom wrappers works' do
@ -185,6 +204,38 @@ class ErrorTest < ActionView::TestCase
    end
  end

+  test 'input with custom error escapes the error text' do
+    with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
+  test 'input with custom error does not escape the error text if it is safe' do
+    with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
+
+    assert_select 'span.error'
+    assert_select 'span.error b', 'markup'
+  end
+
+  test 'input with custom error escapes the error text using full_error component' do
+    swap_wrapper :default, self.custom_wrapper_with_full_error do
+      with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
+
+      assert_select 'span.error'
+      assert_no_select 'span.error b', 'markup'
+    end
+  end
+
+  test 'input with custom error does not escape the error text if it is safe using full_error component' do
+    swap_wrapper :default, self.custom_wrapper_with_full_error do
+      with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
+
+      assert_select 'span.error'
+      assert_select 'span.error b', 'markup'
+    end
+  end
+
  test 'input with custom error when using full_error component does not generate the error if there is no error on the attribute' do
    swap_wrapper :default, self.custom_wrapper_with_full_error do
      with_form_for @user, :active, error: "Super User Active! can't be blank"