IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: 2 XSSs in post gutter and local oneboxes

Browse Source
This commit is contained in:
Régis Hanol
2016-05-14 00:08:19 +02:00
parent fe5b0cf36f
commit 5a75972b0b
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/widgets/post-gutter.js.es6
View File

@@ -29,7 +29,7 @@ export default createWidget('post-gutter', {
seenTitles[title] = true;
titleCount++;
if (result.length < toShow) {
const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(title)}</span>`})];
const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(title))}</span>`})];
if (l.clicks) {
linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString()));
}