mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 12:13:58 -06:00
SECURITY: Fix XSS in full name composer reply
We are using htmlSafe when rendering the name field so we need to escape any html being passed in.
This commit is contained in:
parent
7dd317b875
commit
d89b537d8f
@ -12,6 +12,7 @@ import { alias } from "@ember/object/computed";
|
||||
import discourseComputed from "discourse-common/utils/decorators";
|
||||
import { iconHTML } from "discourse-common/lib/icon-library";
|
||||
import { htmlSafe } from "@ember/template";
|
||||
import { escape } from "pretty-text/sanitizer";
|
||||
|
||||
const TITLES = {
|
||||
[PRIVATE_MESSAGE]: "topic.private_message",
|
||||
@ -84,7 +85,9 @@ export default Component.extend({
|
||||
},
|
||||
|
||||
_formatReplyToUserPost(avatar, link) {
|
||||
const htmlLink = `<a class="user-link" href="${link.href}">${link.anchor}</a>`;
|
||||
const htmlLink = `<a class="user-link" href="${link.href}">${escape(
|
||||
link.anchor
|
||||
)}</a>`;
|
||||
return htmlSafe(`${avatar}${htmlLink}`);
|
||||
},
|
||||
});
|
||||
|
@ -518,11 +518,11 @@ acceptance("Prioritize Full Name", function (needs) {
|
||||
|
||||
test("Reply to post use full name", async function (assert) {
|
||||
await visit("/t/short-topic-with-two-posts/54079");
|
||||
await click("article#post_2 button.reply");
|
||||
await click("article#post_3 button.reply");
|
||||
|
||||
assert.strictEqual(
|
||||
query(".action-title .user-link").innerText.trim(),
|
||||
"james, john, the third"
|
||||
query(".action-title .user-link").innerHTML.trim(),
|
||||
"<h1>Tim Stone</h1>"
|
||||
);
|
||||
});
|
||||
|
||||
|
@ -6497,7 +6497,7 @@ export default {
|
||||
},
|
||||
{
|
||||
id: 419,
|
||||
name: "Tim Stone",
|
||||
name: "<h1>Tim Stone</h1>",
|
||||
username: "tms",
|
||||
avatar_template: "/letter_avatar_proxy/v4/letter/t/3be4f8/{size}.png",
|
||||
uploaded_avatar_id: 40181,
|
||||
|
Loading…
Reference in New Issue
Block a user