fix: Content argument safety (#55)

stephannv · Sep 9, 2024 · 28a1a3a · 28a1a3a
1 parent 8c87877
commit 28a1a3a
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/spec/blueprint/html/safety_spec.cr b/spec/blueprint/html/safety_spec.cr
@@ -3,12 +3,17 @@ require "../../spec_helper"
 private class DummyPage
   include Blueprint::HTML
 
+  register_element :v_btn
+
   private def blueprint
     span { "<script>alert('hello')</script>" }
+    span "<script>alert('content')</script>"
     plain "<script>alert('Plain Text')</script>"
     render(DummyComponent.new) { "<script>alert('DummyComponent')</script>" }
     div(class: "some-class\" onblur=\"alert('Attribute')")
     comment { "--><script>alert('Plain Text')</script><!--" }
+    v_btn "<script>alert('content')</script>"
+    v_btn(class: "some-class\" onclick=\"alert('Attribute')") { "<script>alert('hello')</script>" }
   end
 end
 
@@ -21,7 +26,7 @@ private class DummyComponent
 end
 
 describe "Blueprint::HTML safety" do
-  it "escapes content passed to tags" do
+  it "escapes content passed to tags via block" do
     page = DummyPage.new
     expected_html = <<-HTML.strip
       <span>&lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;</span>
@@ -30,6 +35,15 @@ describe "Blueprint::HTML safety" do
     page.to_html.should contain(expected_html)
   end
 
+  it "escapes content passed to tags via argument" do
+    page = DummyPage.new
+    expected_html = <<-HTML.strip
+      <span>&lt;script&gt;alert(&#39;content&#39;)&lt;/script&gt;</span>
+    HTML
+
+    page.to_html.should contain(expected_html)
+  end
+
   it "escapes plain text" do
     page = DummyPage.new
     expected_html = <<-HTML.strip
@@ -65,4 +79,22 @@ describe "Blueprint::HTML safety" do
 
     page.to_html.should contain(expected_html)
   end
+
+  it "escapes custom tag content passed via argument" do
+    page = DummyPage.new
+    expected_html = <<-HTML.strip
+      <v-btn>&lt;script&gt;alert(&#39;content&#39;)&lt;/script&gt;</v-btn>
+    HTML
+
+    page.to_html.should contain(expected_html)
+  end
+
+  it "escapes custom tag content passed via block" do
+    page = DummyPage.new
+    expected_html = <<-HTML.strip
+      <v-btn class="some-class&quot; onclick=&quot;alert(&#39;Attribute&#39;)">&lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;</v-btn>
+    HTML
+
+    page.to_html.should contain(expected_html)
+  end
 end
diff --git a/src/blueprint/html/element_registrar.cr b/src/blueprint/html/element_registrar.cr
@@ -7,7 +7,7 @@ module Blueprint::HTML
     end
 
     private def {{method_name.id}}(**attributes) : Nil
-      element({{tag}}, **attributes) { "" }
+      element({{tag}}, "", **attributes)
     end
 
     private def {{method_name.id}}(__content__ : String, **attributes) : Nil
@@ -19,7 +19,7 @@ module Blueprint::HTML
     {% tag ||= method_name.tr("_", "-") %}
 
     private def {{method_name.id}}(**attributes) : Nil
-      element({{tag}}, **attributes) { "" }
+      element({{tag}}, "", **attributes)
     end
   end
 
@@ -47,7 +47,7 @@ module Blueprint::HTML
     @buffer << _tag_name
     @buffer << parse_attributes(attributes)
     @buffer << ">"
-    @buffer << __content__
+    ::HTML.escape(__content__, @buffer)
     @buffer << "</"
     @buffer << _tag_name
     @buffer << ">"