fix: dojoビューのXSS脆弱性を解消

nacchan99 · nacchan99 · commit 1cd92fab067b · 2025-08-14T11:22:10.000+09:00
- html_escape() でユーザー入力データを適切にエスケープ
- sanitize_url() でリンク先URLを安全化
- link_to に noreferrer を追加し Reverse Tabnabbing 対策
diff --git a/app/views/shared/_dojo.html.erb b/app/views/shared/_dojo.html.erb
@@ -1,9 +1,9 @@
-<li class="dojo" id="<%= dojo.name %>">
+<li class="dojo" id="<%= html_escape(dojo.name) %>">
   <header>
-    <%= link_to lazy_image_tag(dojo.logo, alt: "CoderDojo #{dojo.name}", class: 'dojo-picture'), dojo.safe_url,
-              target: "_blank", rel: "external noopener" %>
+    <%= link_to lazy_image_tag(dojo.logo, alt: html_escape("CoderDojo #{dojo.name}"), class: 'dojo-picture'), sanitize_url(dojo.safe_url),
+              target: "_blank", rel: "external noopener noreferrer" %>
     <span class="dojo-name">
-      <%= link_to "#{dojo.name} (#{dojo.prefecture.name})", dojo.safe_url, target: "_blank", rel: "external noopener" %>
+      <%= link_to html_escape("#{dojo.name} (#{dojo.prefecture.name})"), sanitize_url(dojo.safe_url), target: "_blank", rel: "external noopener noreferrer" %>
       <% if not dojo.counter == 1 %>
         <span class="dojo-counter"
               data-original-title="道場数"
@@ -15,7 +15,7 @@
 
   <ul class="tags">
     <% dojo.tags.first(5).each do |tag| %>
-      <li><%= tag %></li>
+      <li><%= html_escape(tag) %></li>
     <% end %>
 
     <% if dojo.tags.length > 5 %>
@@ -26,12 +26,12 @@
 	   	           <div class="tooltip-arrow"></div>
 		           <div class="tooltip-inner"></div>
 		         </div>'
-          title="<%= dojo.tags[5..].join(', ') %>">...</li>
+          title="<%= html_escape(dojo.tags[5..].join(', ')) %>">...</li>
     <% end %>
   </ul>
 
   <p class="dojo-description">
-    <%= dojo.description %>
+    <%= html_escape(dojo.description) %>
     <% if dojo.is_private %>
       <%= link_to 'Private', doc_path('private-dojo'), class: 'dojo-private' %>
     <% end %>
