there was an xss script issue in preview iframes
fixes CNVS-17101
When you have a file with a <script> name, when no preview could be
shown for that file, it would run the xss. This fixes that.
Test Plan
Given you are on new files
And you create a file with the name <script>alert("Hi");</script>
When you preview that file
Then you should NOT see a pop up with the words Hi
Change-Id: Iaaeddd9e0121707b6122a3095fa9127b06815d2b
Reviewed-on: https://gerrit.instructure.com/44869
Reviewed-by: Dan Minkevitch <dan@instructure.com>
Product-Review: Sterling Cobb <sterling@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
This commit is contained in:
Sterling Cobb
Matt Fairbourn
parent
75c7b96718
commit
69ea170eb1
|
|
@ -5,10 +5,10 @@
|
||||||
<h2><%= @file.display_name %></h2>
|
<h2><%= @file.display_name %></h2>
|
||||||
<div><%= t('file_previews.no_preview_available', 'No preview is available for this file.')%></div>
|
<div><%= t('file_previews.no_preview_available', 'No preview is available for this file.')%></div>
|
||||||
<div>
|
<div>
|
||||||
<%= link_to(t('file_previews.download_file', 'Download *filename*', :wrapper => {'*' => @file.display_name}),
|
<%= link_to(t('file_previews.download_file', 'Download *filename*', :wrapper => {'*' => h(@file.display_name)}),
|
||||||
context_url(@context, :context_file_download_url, @file.id, :download_frd => 1)) %>
|
context_url(@context, :context_file_download_url, @file.id, :download_frd => 1)) %>
|
||||||
(<%= @file.readable_size %>)
|
(<%= @file.readable_size %>)
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<%= render :partial => 'layouts/foot', :locals => { :include_common_bundle => true } %>
|
<%= render :partial => 'layouts/foot', :locals => { :include_common_bundle => true } %>
|
||||||
</body>
|
</body>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue