diff --git a/app/models/category.rb b/app/models/category.rb
index f0c4e4b800..067037e1dc 100644
--- a/app/models/category.rb
+++ b/app/models/category.rb
@@ -217,7 +217,7 @@ class Category < ActiveRecord::Base
@@cache ||= LruRedux::ThreadSafeCache.new(1000)
@@cache.getset(self.description) do
- Nokogiri::HTML.fragment(self.description).text.strip
+ Nokogiri::HTML.fragment(self.description).text.strip.html_safe
end
end
diff --git a/lib/category_badge.rb b/lib/category_badge.rb
index 1b9398a46e..0f93623af7 100644
--- a/lib/category_badge.rb
+++ b/lib/category_badge.rb
@@ -79,7 +79,7 @@ module CategoryBadge
# category name
class_names = 'badge-category clear-badge'
- description = category.description_text ? "title='#{category.description_text.html_safe}'" : ''
+ description = category.description_text ? "title='#{category.description_text}'" : ''
category_url = opts[:absolute_url] ? "#{Discourse.base_url_no_prefix}#{category.url}" : category.url
extra_span_classes =
@@ -102,7 +102,10 @@ module CategoryBadge
result << ""
- result << category.name.html_safe << ''
- ""
+ result << ERB::Util.html_escape(category.name) << ''
+
+ result = ""
+
+ result.html_safe
end
end
diff --git a/spec/components/category_badge_spec.rb b/spec/components/category_badge_spec.rb
new file mode 100644
index 0000000000..ac89883cd2
--- /dev/null
+++ b/spec/components/category_badge_spec.rb
@@ -0,0 +1,15 @@
+require 'rails_helper'
+require 'category_badge'
+
+describe CategoryBadge do
+ it "escapes HTML in category names / descriptions" do
+ c = Fabricate(:category, name: 'name', description: 'title')
+
+ html = CategoryBadge.html_for(c)
+
+ expect(html).not_to include("title")
+ expect(html).not_to include("name")
+ expect(html).to include(ERB::Util.html_escape("name"))
+ expect(html).to include("title='title'")
+ end
+end