github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-25 16:15:47 +08:00
Code Issues Actions1 Packages Projects Releases Wiki Activity

SECURITY: escape cat name ()

Browse Source
This commit is contained in:
Blake Erickson 2021-08-25 17:11:58 -06:00 committed by GitHub
parent 841e054907
commit 75b0d6df93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 1 deletions
app/assets/javascripts/discourse/app
models
category.js
templates/components
category-title-link.hbs

6
app/assets/javascripts/discourse/app/models/category.js

@ -8,6 +8,7 @@ import { ajax } from "discourse/lib/ajax";
import { get } from "@ember/object";
import { getOwner } from "discourse-common/lib/get-owner";
import getURL from "discourse-common/lib/get-url";
import { escapeExpression } from "discourse/lib/utilities";
const STAFF_GROUP_NAME = "staff";
@ -56,6 +57,11 @@ const Category = RestModel.extend({
return { type: "category", id, category: this };
},
@discourseComputed("name")
escapeName(name) {
return escapeExpression(name);
},
@discourseComputed("parentCategory.ancestors")
ancestors(parentAncestors) {
return [...(parentAncestors || []), this];

2
app/assets/javascripts/discourse/app/templates/components/category-title-link.hbs

@ -4,7 +4,7 @@
{{#if category.read_restricted}}
{{d-icon lockIcon}}
{{/if}}
<span class="category-name">{{dir-span category.name}}</span>
<span class="category-name">{{dir-span category.escapeName}}</span>
</div>
{{#if category.uploaded_logo.url}}
{{cdn-img