mirror of
https://github.com/discourse/discourse.git
synced 2024-12-01 13:09:33 -06:00
ded6ea66a5
This commit prevents unallowed URLs in iframe src by adding a relative path like `https://bob.com/abc/def/../ghi`. Currently, the iframe linking to the site uses the current_user, not the post's author, so users who have no access to a certain path are not able to view anything they shouldn't. |
||
---|---|---|
.. | ||
emoji | ||
engines | ||
allow-lister.js | ||
censored-words.js | ||
emoji.js | ||
guid.js | ||
highlightjs-aliases.js | ||
inline-oneboxer.js | ||
mentions.js | ||
oneboxer-cache.js | ||
oneboxer.js | ||
pretty-text.js | ||
sanitizer.js | ||
upload-short-url.js |