Sanitize quiz answer comments html

Fixes CNVS-22170 Test plan: - Create a quiz - Set a answer comment to `">'><img src=x onerror=alert(3)>` - Take the test and view the resulting answer comment every where you can find it - Try lots of other forms of html to try and execute javascript Change-Id: I209b266a648810763e03b602790001034815b44f Reviewed-on: https://gerrit.instructure.com/59457 Reviewed-by: Cameron Sutter <csutter@instructure.com> Tested-by: Jenkins QA-Review: Adam Stone <astone@instructure.com> Product-Review: Cameron Sutter <csutter@instructure.com>
2015-07-28 15:05:44 -07:00 · 2015-07-28 15:05:44 -07:00 · 01e6bfbaf7
parent 258f154ac1
commit 01e6bfbaf7
2 changed files with 5 additions and 3 deletions
--- a/app/helpers/quizzes_helper.rb
+++ b/app/helpers/quizzes_helper.rb
@ -396,8 +396,10 @@ module QuizzesHelper
  end

  def comment_get(hash, field)
-    if html = hash_get(hash, "#{field}_html".to_sym)
-      raw(html)
+    html = hash_get(hash, "#{field}_html".to_sym)
+
+    if html
+      sanitize(html)
    else
      hash_get(hash, field)
    end
--- a/app/views/quizzes/quizzes/_display_answer.html.erb
+++ b/app/views/quizzes/quizzes/_display_answer.html.erb
@ -145,7 +145,7 @@
    <% if show_comment %>
      <div class="quiz_comment <%= "empty" unless has_answer_comment %>">
        <div class="answer_comment" <%= hidden(true) if hash_get(answer, :comments_html).present? %>><%= comment_get(answer, :comments) %></div>
-        <div class="answer_comment_html"><%= raw(hash_get(answer, :comments_html)) %></div>
+        <div class="answer_comment_html"><%= sanitize(hash_get(answer, :comments_html)) %></div>
      </div>
    <% end %>