Commit fa77b365 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Merge branch 'djadmin-fix-custom-emoji' into 'master'

Use tag helper to generate custom emojis

See merge request gitlab-org/gitlab!63275
parents c94fd35e 4346a386
...@@ -41,7 +41,17 @@ module Gitlab ...@@ -41,7 +41,17 @@ module Gitlab
end end
def emoji_image_tag(name, src) def emoji_image_tag(name, src)
"<img class='emoji' title=':#{name}:' alt=':#{name}:' src='#{src}' height='20' width='20' align='absmiddle' />" image_options = {
class: 'emoji',
src: src,
title: ":#{name}:",
alt: ":#{name}:",
height: 20,
width: 20,
align: 'absmiddle'
}
ActionController::Base.helpers.tag(:img, image_options)
end end
def emoji_exists?(name) def emoji_exists?(name)
......
...@@ -91,7 +91,16 @@ RSpec.describe Gitlab::Emoji do ...@@ -91,7 +91,16 @@ RSpec.describe Gitlab::Emoji do
it 'returns emoji image tag' do it 'returns emoji image tag' do
emoji_image = described_class.emoji_image_tag('emoji_one', 'src_url') emoji_image = described_class.emoji_image_tag('emoji_one', 'src_url')
expect(emoji_image).to eq( "<img class='emoji' title=':emoji_one:' alt=':emoji_one:' src='src_url' height='20' width='20' align='absmiddle' />") expect(emoji_image).to eq("<img class=\"emoji\" src=\"src_url\" title=\":emoji_one:\" alt=\":emoji_one:\" height=\"20\" width=\"20\" align=\"absmiddle\" />")
end
it 'escapes emoji image attrs to prevent XSS' do
xss_payload = "<script>alert(1)</script>"
escaped_xss_payload = html_escape(xss_payload)
emoji_image = described_class.emoji_image_tag(xss_payload, 'http://aaa#' + xss_payload)
expect(emoji_image).to eq("<img class=\"emoji\" src=\"http://aaa##{escaped_xss_payload}\" title=\":#{escaped_xss_payload}:\" alt=\":#{escaped_xss_payload}:\" height=\"20\" width=\"20\" align=\"absmiddle\" />")
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment