IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: fix reflected XSS with safe_mode param

Browse Source 
(only applies to beta and master)
This commit is contained in:
Sam
2016-12-19 10:11:51 +11:00
parent 81956cb1d6
commit 30e0154e5d
2 changed files with 23 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/views/common/_discourse_javascript.html.erb
View File

@@ -53,7 +53,7 @@
Discourse.set('assetVersion','<%= Discourse.assets_digest %>');
Discourse.Session.currentProp("disableCustomCSS", <%= loading_admin? %>);
<%- if params["safe_mode"] %>
Discourse.Session.currentProp("safe_mode", <%= params["safe_mode"].inspect.html_safe %>);
Discourse.Session.currentProp("safe_mode", <%= normalized_safe_mode.inspect.html_safe %>);
<%- end %>
Discourse.HighlightJSPath = <%= HighlightJs.path.inspect.html_safe %>;
<%- if SiteSetting.enable_s3_uploads %>