IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: XSS when oneboxing user profile location field

Browse Source 
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
This commit is contained in:
Penar Musaraj
2019-09-17 16:12:50 -04:00
parent c3bbf643b1
commit 3debdc8131
2 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/oneboxer.rb
View File

@@ -245,7 +245,7 @@ module Oneboxer
avatar: PrettyText.avatar_img(user.avatar_template, "extra_large"),
name: name,
bio: user.user_profile.bio_excerpt(230),
location: user.user_profile.location,
location: Onebox::Helpers.sanitize(user.user_profile.location),
joined: I18n.t('joined'),
created_at: user.created_at.strftime(I18n.t('datetime_formats.formats.date_only')),
website: user.user_profile.website,