SECURITY: Fix XSS in full name composer reply

We are using htmlSafe when rendering the name field so we need to escape
any html being passed in.
This commit is contained in:
Blake Erickson 2023-02-10 09:09:26 -07:00
parent 78a3efa710
commit 3374457c44
3 changed files with 8 additions and 5 deletions

View File

@ -12,6 +12,7 @@ import { alias } from "@ember/object/computed";
import discourseComputed from "discourse-common/utils/decorators";
import { iconHTML } from "discourse-common/lib/icon-library";
import { htmlSafe } from "@ember/template";
import { escape } from "pretty-text/sanitizer";
const TITLES = {
[PRIVATE_MESSAGE]: "topic.private_message",
@ -84,7 +85,9 @@ export default Component.extend({
},
_formatReplyToUserPost(avatar, link) {
const htmlLink = `<a class="user-link" href="${link.href}">${link.anchor}</a>`;
const htmlLink = `<a class="user-link" href="${link.href}">${escape(
link.anchor
)}</a>`;
return htmlSafe(`${avatar}${htmlLink}`);
},
});

View File

@ -518,11 +518,11 @@ acceptance("Prioritize Full Name", function (needs) {
test("Reply to post use full name", async function (assert) {
await visit("/t/short-topic-with-two-posts/54079");
await click("article#post_2 button.reply");
await click("article#post_3 button.reply");
assert.strictEqual(
query(".action-title .user-link").innerText.trim(),
"james, john, the third"
query(".action-title .user-link").innerHTML.trim(),
"&lt;h1&gt;Tim Stone&lt;/h1&gt;"
);
});

View File

@ -6497,7 +6497,7 @@ export default {
},
{
id: 419,
name: "Tim Stone",
name: "<h1>Tim Stone</h1>",
username: "tms",
avatar_template: "/letter_avatar_proxy/v4/letter/t/3be4f8/{size}.png",
uploaded_avatar_id: 40181,