mirror of
https://github.com/discourse/discourse.git
synced 2024-12-12 19:13:44 +08:00
SECURITY: escape quotes in tag description when rendering (#19731)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
This commit is contained in:
parent
9470ae7190
commit
66ab2d71ff
|
@ -2,6 +2,7 @@ import User from "discourse/models/user";
|
||||||
import { escapeExpression } from "discourse/lib/utilities";
|
import { escapeExpression } from "discourse/lib/utilities";
|
||||||
import getURL from "discourse-common/lib/get-url";
|
import getURL from "discourse-common/lib/get-url";
|
||||||
import { helperContext } from "discourse-common/lib/helpers";
|
import { helperContext } from "discourse-common/lib/helpers";
|
||||||
|
import { escape } from "pretty-text/sanitizer";
|
||||||
|
|
||||||
let _renderer = defaultRenderTag;
|
let _renderer = defaultRenderTag;
|
||||||
|
|
||||||
|
@ -44,7 +45,7 @@ export function defaultRenderTag(tag, params) {
|
||||||
href +
|
href +
|
||||||
" data-tag-name=" +
|
" data-tag-name=" +
|
||||||
tag +
|
tag +
|
||||||
(params.description ? ' title="' + params.description + '" ' : "") +
|
(params.description ? ' title="' + escape(params.description) + '" ' : "") +
|
||||||
" class='" +
|
" class='" +
|
||||||
classes.join(" ") +
|
classes.join(" ") +
|
||||||
"'>" +
|
"'>" +
|
||||||
|
|
Loading…
Reference in New Issue
Block a user