SECURITY: Stored xss in image caption

app/assets/javascripts/discourse/app/lib/lightbox.js

@@ -2,7 +2,10 @@ import $ from "jquery";
 import { spinnerHTML } from "discourse/helpers/loading-spinner";
 import { SELECTORS } from "discourse/lib/lightbox/constants";
 import loadScript from "discourse/lib/load-script";
-import { postRNWebviewMessage } from "discourse/lib/utilities";
+import {
+  escapeExpression,
+  postRNWebviewMessage,
+} from "discourse/lib/utilities";
 import User from "discourse/models/user";
 import { isTesting } from "discourse-common/config/environment";
 import deprecated from "discourse-common/lib/deprecated";
@@ -116,7 +119,7 @@ export default function lightbox(elem, siteSettings) {
         titleSrc(item) {
           const href = item.el.data("download-href") || item.src;
           let src = [
-            item.el.attr("title"),
+            escapeExpression(item.el.attr("title")),
             $("span.informations", item.el).text(),
           ];
           if (

app/assets/javascripts/discourse/tests/acceptance/lightbox-test.js

@@ -10,8 +10,8 @@ acceptance("Lightbox", function (needs) {
   needs.pretender((server, helper) => {
     const topicResponse = cloneJSON(topicFixtures["/t/280/1.json"]);
     topicResponse.post_stream.posts[0].cooked += `<div class="lightbox-wrapper">
-      <a class="lightbox" href="/images/d-logo-sketch.png" data-download-href="//discourse.local/uploads/default/ad768537789cdf4679a18161ac0b0b6f0f4ccf9e" title="image">
-        <img src="/images/d-logo-sketch-small.png" alt="image" data-base62-sha1="oKwwVE8qLWFBkE5UJeCs2EwxHHg" width="690" height="387" srcset="/images/d-logo-sketch-small.png" data-small-upload="/images/d-logo-sketch-small.png">
+      <a class="lightbox" href="/images/d-logo-sketch.png" data-download-href="//discourse.local/uploads/default/ad768537789cdf4679a18161ac0b0b6f0f4ccf9e" title="<script>image</script>">
+        <img src="/images/d-logo-sketch-small.png" alt="<script>image</script>" data-base62-sha1="oKwwVE8qLWFBkE5UJeCs2EwxHHg" width="690" height="387" srcset="/images/d-logo-sketch-small.png" data-small-upload="/images/d-logo-sketch-small.png">
         <div class="meta">
           <svg class="fa d-icon d-icon-far-image svg-icon" aria-hidden="true"><use href="#far-image"></use></svg>
           <span class="filename">image</span><span class="informations">1500×842 234 KB</span>
@@ -32,7 +32,9 @@ acceptance("Lightbox", function (needs) {
 
     assert
       .dom(".mfp-title")
-      .hasText("image · 1500×842 234 KB · download · original image");
+      .hasText(
+        "<script>image</script> · 1500×842 234 KB · download · original image"
+      );
 
     assert
       .dom(".image-source-link:nth-child(1)")
@@ -47,4 +49,11 @@ acceptance("Lightbox", function (needs) {
 
     await click(".mfp-close");
   });
+
+  test("Correctly escapes image caption", async function (assert) {
+    await visit("/t/internationalization-localization/280");
+    await click(".lightbox");
+
+    assert.dom(".mfp-title").hasHtml(/^&lt;script&gt;image&lt;\/script&gt; · /);
+  });
 });