diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index ffc3a89d..4c521ec8 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -446,20 +446,20 @@ module ApplicationHelper case args.size when 1 obj = options[:object] - text = args.shift + input_text = args.shift when 2 obj = args.shift attr = args.shift - text = obj.send(attr).to_s + input_text = obj.send(attr).to_s else raise ArgumentError, 'invalid arguments to textilizable' end - return '' if text.blank? + return '' if input_text.blank? project = options[:project] || @project || (obj && obj.respond_to?(:project) ? obj.project : nil) only_path = options.delete(:only_path) == false ? false : true begin - text = ChiliProject::Liquid::Legacy.run_macros(text) + text = ChiliProject::Liquid::Legacy.run_macros(input_text) liquid_template = ChiliProject::Liquid::Template.parse(text) liquid_variables = get_view_instance_variables_for_liquid liquid_variables.merge!({'current_user' => User.current}) @@ -478,8 +478,15 @@ module ApplicationHelper end Rails.logger.debug msg end - rescue Liquid::SyntaxError + rescue Liquid::SyntaxError => exception + if Rails.logger && Rails.logger.debug? + msg = "[Liquid Syntax Error] #{exception.message}\n:\n#{exception.backtrace.join("\n")}" + msg << "\n\n" + Rails.logger.debug msg + end + # Skip Liquid if there is a syntax error + text = h(input_text) end @parsed_headings = [] diff --git a/test/unit/lib/chili_project/liquid_test.rb b/test/unit/lib/chili_project/liquid_test.rb index 2fb25020..0108f15e 100644 --- a/test/unit/lib/chili_project/liquid_test.rb +++ b/test/unit/lib/chili_project/liquid_test.rb @@ -208,4 +208,14 @@ class ChiliProject::LiquidTest < ActionView::TestCase end end end + + context "invalid input" do + should "be escaped" do + text = "{% --- something invalid %}\n" + text << '' + + formatted = textilizable(text) + assert_match '<script>alert("Hello")</script>', formatted + end + end end