mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 12:43:41 +08:00
SECURITY: XSS when displaying watched words in admin panel.
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
This commit is contained in:
parent
fe8bd92f71
commit
477bacb3ae
|
@ -1,5 +1,6 @@
|
|||
import { iconHTML } from "discourse-common/lib/icon-library";
|
||||
import { bufferedRender } from "discourse-common/lib/buffered-render";
|
||||
import { escapeExpression } from "discourse/lib/utilities";
|
||||
|
||||
export default Ember.Component.extend(
|
||||
bufferedRender({
|
||||
|
@ -7,7 +8,7 @@ export default Ember.Component.extend(
|
|||
|
||||
buildBuffer(buffer) {
|
||||
buffer.push(iconHTML("times"));
|
||||
buffer.push(" " + this.get("word.word"));
|
||||
buffer.push(` ${escapeExpression(this.get("word.word"))}`);
|
||||
},
|
||||
|
||||
click() {
|
||||
|
|
|
@ -32,6 +32,12 @@ QUnit.test("list words in groups", async assert => {
|
|||
"Always show the words when checkbox is checked."
|
||||
);
|
||||
|
||||
assert.equal(
|
||||
$(find(".watched-words-list .watched-word")[2]).text(),
|
||||
' <img src="x">',
|
||||
"it should escape watched words"
|
||||
);
|
||||
|
||||
await click(".nav-stacked .censor a");
|
||||
|
||||
assert.ok(exists(".watched-words-list"));
|
||||
|
|
|
@ -6,7 +6,8 @@ export default {
|
|||
{ id: 2, word: "anise", action: "block" },
|
||||
{ id: 3, word: "pyramid", action: "flag" },
|
||||
{ id: 4, word: "scheme", action: "flag" },
|
||||
{ id: 5, word: "coupon", action: "require_approval" }
|
||||
{ id: 5, word: "coupon", action: "require_approval" },
|
||||
{ id: 6, word: '<img src="x">', action: "block" },
|
||||
]
|
||||
}
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue
Block a user