SECURITY: escape title HTML for inline onebox

SECURITY: escape title HTML for inline onebox

diff --git a/lib/cooked_post_processor.rb b/lib/cooked_post_processor.rb
index 1e8b0a0..9ab9ca6 100644
--- a/lib/cooked_post_processor.rb
+++ b/lib/cooked_post_processor.rb
@@ -655,7 +655,7 @@ class CookedPostProcessor
     )
 
     if title = inline_onebox&.dig(:title)
-      element.children = title
+      element.children = CGI.escapeHTML(title)
       element.add_class(INLINE_ONEBOX_CSS_CLASS)
     end
 
diff --git a/spec/components/cooked_post_processor_spec.rb b/spec/components/cooked_post_processor_spec.rb
index a8bedc1..9e2628a 100644
--- a/spec/components/cooked_post_processor_spec.rb
+++ b/spec/components/cooked_post_processor_spec.rb
@@ -185,7 +185,8 @@ describe CookedPostProcessor do
           ]
         end
 
-        let(:title) { 'some title' }
+        let(:title) { '<b>some title</b>' }
+        let(:escaped_title) { CGI.escapeHTML(title) }
 
         let(:post) do
           Fabricate(:post, raw: <<~RAW)
@@ -203,7 +204,7 @@ describe CookedPostProcessor do
           urls.each do |url|
             stub_request(:get, url).to_return(
               status: 200,
-              body: "<html><head><title>#{title}</title></head></html>"
+              body: "<html><head><title>#{escaped_title}</title></head></html>"
             )
           end
         end

GitHub sha: 35b59cfa

2 Likes