IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Remove XSS in composer preview when applying image scale buttons.

Browse Source
This commit is contained in:
Guo Xiang Tan
2019-04-08 11:20:28 +08:00
parent 13c6bf54d0
commit 33fa249fa5
2 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/assets/javascripts/discourse/components/composer-editor.js.es6
View File

@@ -878,15 +878,13 @@ export default Ember.Component.extend({
if ($preview.find(".codeblock-image").length === 0) {
this.$(".d-editor-preview *")
.contents()
.filter(function() {
return this.nodeType === 3; // TEXT_NODE
})
.each(function() {
$(this).replaceWith(
$(this)
.text()
.replace(imageScaleRegex, "<span class='codeblock-image'>$&</a>")
);
if (this.nodeType !== 3) return; // TEXT_NODE
const $this = $(this);
if ($this.text().match(imageScaleRegex)) {
$this.wrap("<span class='codeblock-image'></span>");
}
});
}