Escape message for notifications
This commit is contained in:
parent
d272cecd55
commit
e998c059b6
|
@ -134,6 +134,6 @@ class Notify extends BaseEntity
|
|||
*/
|
||||
public static function formatMessage(string $name, string $message): string
|
||||
{
|
||||
return str_replace('{0}', '<span class="contactname">' . strip_tags(BBCode::convert($name)) . '</span>', $message);
|
||||
return str_replace('{0}', '<span class="contactname">' . strip_tags(BBCode::convert($name)) . '</span>', htmlspecialchars($message));
|
||||
}
|
||||
}
|
||||
|
|
28
tests/src/Navigation/Notifications/Entity/NotifyTest.php
Normal file
28
tests/src/Navigation/Notifications/Entity/NotifyTest.php
Normal file
|
@ -0,0 +1,28 @@
|
|||
<?php
|
||||
|
||||
namespace Friendica\Test\src\Navigation\Notifications\Entity;
|
||||
|
||||
use Friendica\Navigation\Notifications\Entity\Notify;
|
||||
use Friendica\Test\FixtureTest;
|
||||
|
||||
class NotifyTest extends FixtureTest
|
||||
{
|
||||
public function dataFormatNotify(): array
|
||||
{
|
||||
return [
|
||||
'xss-notify' => [
|
||||
'name' => 'Whiskers',
|
||||
'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>',
|
||||
'assertion' => '<span class="contactname">Whiskers</span> commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>',
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider dataFormatNotify
|
||||
*/
|
||||
public function testFormatNotify(string $name, string $message, string $assertion)
|
||||
{
|
||||
self::assertEquals($assertion, Notify::formatMessage($name, $message));
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue