IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Properly escape user content within <noscript>

Browse Source
This commit is contained in:
David Taylor
2024-01-17 11:30:27 +00:00
committed by Isaac Janzen
parent c3b8216869
commit 9b50de4569
3 changed files with 62 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/views/layouts/application.html.erb
View File

@@ -99,15 +99,17 @@
<%= render_google_tag_manager_body_code %>
<noscript data-path="<%= request.env['PATH_INFO'] %>">
<%= render partial: "layouts/noscript_header" %>
<%= escape_noscript do %>
<%= render partial: "layouts/noscript_header" %>
<div id="main-outlet" class="wrap" role="main">
<!-- preload-content: -->
<%= yield %>
<!-- :preload-content -->
</div>
<div id="main-outlet" class="wrap" role="main">
<!-- preload-content: -->
<%= yield %>
<!-- :preload-content -->
</div>
<%= render partial: "layouts/noscript_footer" %>
<%= render partial: "layouts/noscript_footer" %>
<% end %>
</noscript>
<%- unless customization_disabled? %>