mirror of
https://github.com/discourse/discourse.git
synced 2024-11-22 17:06:31 -06:00
security hole fixed
This commit is contained in:
parent
1c12c91d0c
commit
80929ead4b
@ -76,7 +76,10 @@ class ApplicationController < ActionController::Base
|
||||
|
||||
def store_preloaded(key, json)
|
||||
@preloaded ||= {}
|
||||
@preloaded[key] = json
|
||||
# I dislike that there is a gsub as opposed to a gsub!
|
||||
# but we can not be mucking with user input, I wonder if there is a way
|
||||
# to inject this safty deeper in the library or even in AM serializer
|
||||
@preloaded[key] = json.gsub("</", "<\\/")
|
||||
end
|
||||
|
||||
# If we are rendering HTML, preload the session data
|
||||
|
Loading…
Reference in New Issue
Block a user