IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 08:57:10 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: escape quotes in tag description when rendering (#19730)

Browse Source 
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
This commit is contained in:
Alan Guo Xiang Tan 2023-01-05 06:08:32 +08:00 committed by GitHub
parent cbcf8a064b
commit 692329896a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/discourse/app/lib/render-tag.js
View File

@ -2,6 +2,7 @@ import User from "discourse/models/user";
import { escapeExpression } from "discourse/lib/utilities";
import getURL from "discourse-common/lib/get-url";
import { helperContext } from "discourse-common/lib/helpers";
import { escape } from "pretty-text/sanitizer";
let _renderer = defaultRenderTag;
@ -44,7 +45,7 @@ export function defaultRenderTag(tag, params) {
href +
" data-tag-name=" +
tag +
(params.description ? ' title="' + params.description + '" ' : "") +
(params.description ? ' title="' + escape(params.description) + '" ' : "") +
" class='" +
classes.join(" ") +
"'>" +