From 3a985c82c7492204dbefaa444aadc7bc3bb2ff8a Mon Sep 17 00:00:00 2001 From: Bianca Nenciu Date: Wed, 9 Nov 2022 15:54:47 +0200 Subject: [PATCH] SECURITY: Correctly render link title in draft preview (#18958) The additional unescaping could cause link titles to be rendered incorrectly. --- .../javascripts/discourse/app/lib/text.js | 1 - .../discourse/tests/unit/lib/text-test.js | 27 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 app/assets/javascripts/discourse/tests/unit/lib/text-test.js diff --git a/app/assets/javascripts/discourse/app/lib/text.js b/app/assets/javascripts/discourse/app/lib/text.js index 6e7def0ecdb..1d82623d501 100644 --- a/app/assets/javascripts/discourse/app/lib/text.js +++ b/app/assets/javascripts/discourse/app/lib/text.js @@ -150,7 +150,6 @@ export function excerpt(cooked, length) { resultLength += element.textContent.length; } } else if (element.tagName === "A") { - element.innerHTML = element.innerText; result += element.outerHTML; resultLength += element.innerText.length; } else if (element.tagName === "IMG") { diff --git a/app/assets/javascripts/discourse/tests/unit/lib/text-test.js b/app/assets/javascripts/discourse/tests/unit/lib/text-test.js new file mode 100644 index 00000000000..a6420cd6947 --- /dev/null +++ b/app/assets/javascripts/discourse/tests/unit/lib/text-test.js @@ -0,0 +1,27 @@ +import { module, test } from "qunit"; +import { cookAsync, excerpt } from "discourse/lib/text"; + +module("Unit | Utility | text", function () { + test("excerpt", async function (assert) { + let cooked = await cookAsync("Hello! :wave:"); + assert.strictEqual( + await excerpt(cooked, 300), + 'Hello! :wave:' + ); + + cooked = await cookAsync("[:wave:](https://example.com)"); + assert.strictEqual( + await excerpt(cooked, 300), + ':wave:' + ); + + cooked = await cookAsync(''); + assert.strictEqual(await excerpt(cooked, 300), ""); + + cooked = await cookAsync("[``]()"); + assert.strictEqual( + await excerpt(cooked, 300), + "<script>alert('hi')</script>" + ); + }); +});