XSS: Escape the custom title (admin only) when displaying group titles.

2025-02-21 13:17:13 +08:00 · 2014-07-02 19:55:27 -04:00 · 2014-07-02 19:55:27 -04:00 · 554e5c8482
commit 554e5c8482
parent 162b5abae6
1 changed files with 1 additions and 0 deletions
--- a/app/assets/javascripts/discourse/components/poster-name.js.es6
+++ b/app/assets/javascripts/discourse/components/poster-name.js.es6
@ -37,6 +37,7 @@ var PosterNameComponent = Em.Component.extend({
      var title = post.get('user_title');
      if (!Em.isEmpty(title)) {

+        title = Handlebars.Utils.escapeExpression(title);
        buffer.push('<span class="user-title">');
        if (Em.isEmpty(primaryGroupName)) {
          buffer.push(title);