IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: category badges should HTML escape names

Browse Source
This commit is contained in:
Sam
2018-06-28 18:14:55 +10:00
parent ec3e6a81a4
commit db14e10943
3 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/category.rb
View File

@@ -217,7 +217,7 @@ class Category < ActiveRecord::Base
@@cache ||= LruRedux::ThreadSafeCache.new(1000)
@@cache.getset(self.description) do
Nokogiri::HTML.fragment(self.description).text.strip
Nokogiri::HTML.fragment(self.description).text.strip.html_safe
end
end