diff --git a/app/presenters/address_presenter.rb b/app/presenters/address_presenter.rb
index 42c836783..8915e6475 100644
--- a/app/presenters/address_presenter.rb
+++ b/app/presenters/address_presenter.rb
@@ -6,7 +6,9 @@ def to_html
.join(', ')
[model.flat, model.street, city_and_postal_code, lat, lng]
- .delete_if(&:empty?).join('
').html_safe
+ .delete_if(&:empty?)
+ .map { |line| ERB::Util.html_escape(line) }
+ .join('
').html_safe
end
def for_map
diff --git a/app/views/admin/events/show.html.haml b/app/views/admin/events/show.html.haml
index 6ed0e328f..479c27243 100644
--- a/app/views/admin/events/show.html.haml
+++ b/app/views/admin/events/show.html.haml
@@ -92,7 +92,7 @@
.row
.col
- %p.lead= @event.description.html_safe
+ %p.lead= sanitize(@event.description)
- if @event.tito_url.present?
.row
diff --git a/app/views/admin/meetings/show.html.haml b/app/views/admin/meetings/show.html.haml
index 9d678b71a..48d66e9cb 100644
--- a/app/views/admin/meetings/show.html.haml
+++ b/app/views/admin/meetings/show.html.haml
@@ -51,7 +51,7 @@
.row.mt-3
.col-10
%h4 Agenda
- = @meeting.description.html_safe
+ = sanitize(@meeting.description)
- if @invitations.any?
.py-4.py-lg-5.bg-light
diff --git a/app/views/meeting_invitation_mailer/_agenda.html.haml b/app/views/meeting_invitation_mailer/_agenda.html.haml
index b80535f1f..55fc6c9df 100644
--- a/app/views/meeting_invitation_mailer/_agenda.html.haml
+++ b/app/views/meeting_invitation_mailer/_agenda.html.haml
@@ -3,4 +3,4 @@
%tr
%td
%h4 Agenda
- %p= @meeting.description.html_safe
+ %p= sanitize(@meeting.description)
diff --git a/app/views/meeting_invitation_mailer/_cancel_attendance.html.haml b/app/views/meeting_invitation_mailer/_cancel_attendance.html.haml
index 6677b09f4..8de8cd843 100644
--- a/app/views/meeting_invitation_mailer/_cancel_attendance.html.haml
+++ b/app/views/meeting_invitation_mailer/_cancel_attendance.html.haml
@@ -5,4 +5,4 @@
%h4
Can't make it anymore?
%p
- = "Please #{link_to 'cancel your attendance', @cancellation_url} by following the instructions on the event page.".html_safe
+ Please #{link_to 'cancel your attendance', @cancellation_url} by following the instructions on the event page.
diff --git a/app/views/meeting_invitation_mailer/invite.html.haml b/app/views/meeting_invitation_mailer/invite.html.haml
index c3e6b5432..366102d76 100644
--- a/app/views/meeting_invitation_mailer/invite.html.haml
+++ b/app/views/meeting_invitation_mailer/invite.html.haml
@@ -16,7 +16,7 @@
%p.lead
We're back for another instalment of codebar Monthlies on #{humanize_date(@meeting.date_and_time, with_time: true)} at #{@meeting.venue.name}!
%p
- = "#{link_to 'You can RSVP here', @rsvp_url}, after logging into your codebar account.".html_safe
+ #{link_to 'You can RSVP here', @rsvp_url} after logging into your codebar account.
= render partial: 'agenda'
diff --git a/spec/presenters/address_presenter_spec.rb b/spec/presenters/address_presenter_spec.rb
index c6d697861..01d45ca4a 100644
--- a/spec/presenters/address_presenter_spec.rb
+++ b/spec/presenters/address_presenter_spec.rb
@@ -2,10 +2,20 @@
let(:address) { Fabricate.build(:address) }
let(:presenter) { AddressPresenter.new(address) }
- it '#to_html' do
- html_address = "#{address.flat}
#{address.street}
#{address.city}, #{address.postal_code}"
+ describe '#to_html' do
+ it 'returns the address in HTML with lines separated with
tags' do
+ html_address = "#{address.flat}
#{address.street}
#{address.city}, #{address.postal_code}"
- expect(presenter.to_html).to eq(html_address)
+ expect(presenter.to_html).to eq(html_address)
+ end
+
+ it 'escapes HTML in address elements' do
+ address.street = ''
+ html_address = "#{address.flat}
<script>alert("XSS");</script>
" +
+ "#{address.city}, #{address.postal_code}"
+
+ expect(presenter.to_html).to eq(html_address)
+ end
end
it '#to_s' do