github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-03 22:34:51 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: escape quotes in tag description when rendering (#19731)

Browse Source 
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
This commit is contained in:
Alan Guo Xiang Tan 2023-01-05 08:51:16 +08:00 committed by GitHub
parent 9470ae7190
commit 66ab2d71ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/discourse/app/lib/render-tag.js
View File

@ -2,6 +2,7 @@ import User from "discourse/models/user";
import { escapeExpression } from "discourse/lib/utilities";
import getURL from "discourse-common/lib/get-url";
import { helperContext } from "discourse-common/lib/helpers";
import { escape } from "pretty-text/sanitizer";
let _renderer = defaultRenderTag;
@ -44,7 +45,7 @@ export function defaultRenderTag(tag, params) {
href +
" data-tag-name=" +
tag +
(params.description ? ' title="' + params.description + '" ' : "") +
(params.description ? ' title="' + escape(params.description) + '" ' : "") +
" class='" +
classes.join(" ") +
"'>" +