1680: add sanitation of error-message from codeharbor

kkoehn · kkoehn · commit f334a472b29c · 2025-02-04T22:05:06.000+01:00
diff --git a/app/services/exercise_service/push_external.rb b/app/services/exercise_service/push_external.rb
@@ -21,7 +21,7 @@ def execute
         if response.success?
           nil
         else
-          response.status == 401 ? I18n.t('exercises.export_codeharbor.not_authorized') : response.body
+          response.status == 401 ? I18n.t('exercises.export_codeharbor.not_authorized') : ERB::Util.html_escape(response.body)
         end
       rescue StandardError => e
         e.message
diff --git a/spec/services/exercise_service/push_external_spec.rb b/spec/services/exercise_service/push_external_spec.rb
@@ -49,9 +49,15 @@
 
       context 'when response status is 500' do
         let(:status) { 500 }
-        let(:response) { 'an error occured' }
+        let(:response) { 'an error occurred' }
 
-        it { is_expected.to be response }
+        it { is_expected.to eql response }
+
+        context 'when response contains problematic characters' do
+          let(:response) { 'an <error> occurred' }
+
+          it { is_expected.to eql 'an &lt;error&gt; occurred' }
+        end
       end
 
       context 'when response status is 401' do
