github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-16 06:03:46 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: escape HTML entities from topic title

Browse Source
This commit is contained in:
Arpit Jalan 2018-04-15 18:44:28 +05:30
parent 411696b85e
commit 27972c1202
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/guardian/category_guardian.rb
View File

@ -34,7 +34,7 @@ module CategoryGuardian
if category.topic_count != 0
oldest_topic = category.topics.where.not(id: category.topic_id).order('created_at ASC').limit(1).first
if oldest_topic
return I18n.t('category.cannot_delete.topic_exists', count: category.topic_count, topic_link: "<a href=\"#{oldest_topic.url}\">#{oldest_topic.title}</a>")
return I18n.t('category.cannot_delete.topic_exists', count: category.topic_count, topic_link: "<a href=\"#{oldest_topic.url}\">#{CGI.escapeHTML(oldest_topic.title)}</a>")
else
# This is a weird case, probably indicating a bug.
return I18n.t('category.cannot_delete.topic_exists_no_oldest', count: category.topic_count)