github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-24 20:43:28 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Escape image title in lightbox.

Browse Source
This commit is contained in:
Guo Xiang Tan 2016-08-11 11:15:00 +08:00
parent 6d2a687ec7
commit 515024a0ac
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/discourse/lib/lightbox.js.es6
View File

@ -1,4 +1,5 @@
import loadScript from 'discourse/lib/load-script';
import { escapeExpression } from 'discourse/lib/utilities';
export default function($elem) {
$("a.lightbox", $elem).each(function(i, e) {
@ -33,7 +34,7 @@ export default function($elem) {
image: {
titleSrc(item) {
const href = item.el.data("download-href") || item.src;
let src = [item.el.attr("title"), $("span.informations", item.el).text().replace('x', '×')];
let src = [escapeExpression(item.el.attr("title")), $("span.informations", item.el).text().replace('x', '×')];
if (!Discourse.SiteSettings.prevent_anons_from_downloading_files || Discourse.User.current()) {
src.push('<a class="image-source-link" href="' + href + '">' + I18n.t("lightbox.download") + '</a>');
}