IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: self XSS by admin by editing badge name

Browse Source
This commit is contained in:
Sam 2014-04-23 09:46:32 +10:00
parent 6538874064
commit 8abf652dc3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/lib/html.js
View File

@ -93,7 +93,7 @@ Discourse.HTML = {
html += "data-drop-close=\"true\" class=\"badge-category" + (restricted ? ' restricted' : '' ) + html += "data-drop-close=\"true\" class=\"badge-category" + (restricted ? ' restricted' : '' ) +
extraClasses + "\" "; extraClasses + "\" ";
name = Handlebars.Utils.escapeExpression(name);
// Add description if we have it // Add description if we have it
if (description) html += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" "; if (description) html += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";