IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: escape title HTML for inline onebox

Browse Source
This commit is contained in:
Sam
2019-01-10 12:02:05 +11:00
parent c85b9c6ed3
commit 35b59cfa78
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cooked_post_processor.rb
View File

@@ -655,7 +655,7 @@ class CookedPostProcessor
)
if title = inline_onebox&.dig(:title)
element.children = title
element.children = CGI.escapeHTML(title)
element.add_class(INLINE_ONEBOX_CSS_CLASS)
end