From 023b61ad2220a65ac31f22f30152c9c1a35786fc Mon Sep 17 00:00:00 2001
From: Jarek Radosz <jradosz@gmail.com>
Date: Wed, 27 Nov 2024 00:07:17 +0100
Subject: [PATCH] SECURITY: Stored xss in image caption

---
 .../javascripts/discourse/app/lib/lightbox.js     |  7 +++++--
 .../discourse/tests/acceptance/lightbox-test.js   | 15 ++++++++++++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/app/assets/javascripts/discourse/app/lib/lightbox.js b/app/assets/javascripts/discourse/app/lib/lightbox.js
index f25a8a94e2c..091a7e66a7e 100644
--- a/app/assets/javascripts/discourse/app/lib/lightbox.js
+++ b/app/assets/javascripts/discourse/app/lib/lightbox.js
@@ -2,7 +2,10 @@ import $ from "jquery";
 import { spinnerHTML } from "discourse/helpers/loading-spinner";
 import { SELECTORS } from "discourse/lib/lightbox/constants";
 import loadScript from "discourse/lib/load-script";
-import { postRNWebviewMessage } from "discourse/lib/utilities";
+import {
+  escapeExpression,
+  postRNWebviewMessage,
+} from "discourse/lib/utilities";
 import User from "discourse/models/user";
 import { isTesting } from "discourse-common/config/environment";
 import deprecated from "discourse-common/lib/deprecated";
@@ -116,7 +119,7 @@ export default function lightbox(elem, siteSettings) {
         titleSrc(item) {
           const href = item.el.data("download-href") || item.src;
           let src = [
-            item.el.attr("title"),
+            escapeExpression(item.el.attr("title")),
             $("span.informations", item.el).text(),
           ];
           if (
diff --git a/app/assets/javascripts/discourse/tests/acceptance/lightbox-test.js b/app/assets/javascripts/discourse/tests/acceptance/lightbox-test.js
index 9e9730d8cf0..56ac92371df 100644
--- a/app/assets/javascripts/discourse/tests/acceptance/lightbox-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/lightbox-test.js
@@ -10,8 +10,8 @@ acceptance("Lightbox", function (needs) {
   needs.pretender((server, helper) => {
     const topicResponse = cloneJSON(topicFixtures["/t/280/1.json"]);
     topicResponse.post_stream.posts[0].cooked += `<div class="lightbox-wrapper">
-      <a class="lightbox" href="/images/d-logo-sketch.png" data-download-href="//discourse.local/uploads/default/ad768537789cdf4679a18161ac0b0b6f0f4ccf9e" title="image">
-        <img src="/images/d-logo-sketch-small.png" alt="image" data-base62-sha1="oKwwVE8qLWFBkE5UJeCs2EwxHHg" width="690" height="387" srcset="/images/d-logo-sketch-small.png" data-small-upload="/images/d-logo-sketch-small.png">
+      <a class="lightbox" href="/images/d-logo-sketch.png" data-download-href="//discourse.local/uploads/default/ad768537789cdf4679a18161ac0b0b6f0f4ccf9e" title="<script>image</script>">
+        <img src="/images/d-logo-sketch-small.png" alt="<script>image</script>" data-base62-sha1="oKwwVE8qLWFBkE5UJeCs2EwxHHg" width="690" height="387" srcset="/images/d-logo-sketch-small.png" data-small-upload="/images/d-logo-sketch-small.png">
         <div class="meta">
           <svg class="fa d-icon d-icon-far-image svg-icon" aria-hidden="true"><use href="#far-image"></use></svg>
           <span class="filename">image</span><span class="informations">1500×842 234 KB</span>
@@ -32,7 +32,9 @@ acceptance("Lightbox", function (needs) {
 
     assert
       .dom(".mfp-title")
-      .hasText("image · 1500×842 234 KB · download · original image");
+      .hasText(
+        "<script>image</script> · 1500×842 234 KB · download · original image"
+      );
 
     assert
       .dom(".image-source-link:nth-child(1)")
@@ -47,4 +49,11 @@ acceptance("Lightbox", function (needs) {
 
     await click(".mfp-close");
   });
+
+  test("Correctly escapes image caption", async function (assert) {
+    await visit("/t/internationalization-localization/280");
+    await click(".lightbox");
+
+    assert.dom(".mfp-title").hasHtml(/^&lt;script&gt;image&lt;\/script&gt; · /);
+  });
 });