SECURITY: 2 XSSs in post gutter and local oneboxes

2024-12-15 15:53:41 +08:00 · 2016-05-14 00:08:19 +02:00 · 2016-05-14 00:08:19 +02:00 · 6dfd8ed47e
commit 6dfd8ed47e
parent 47e932159e
2 changed files with 2 additions and 2 deletions
--- a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
+++ b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
@ -28,7 +28,7 @@ export default createWidget('post-gutter', {
        seenTitles[title] = true;
        titleCount++;
        if (result.length < toShow) {
-          const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(title)}</span>`})];
+          const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(title))}</span>`})];
          if (l.clicks) {
            linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString()));
          }
--- a/lib/onebox/engine/discourse_local_onebox.rb
+++ b/lib/onebox/engine/discourse_local_onebox.rb
@ -93,7 +93,7 @@ module Onebox

            quote = post.excerpt(SiteSetting.post_onebox_maxlength)
            args = { original_url: url,
-                     title: PrettyText.unescape_emoji(topic.title),
+                     title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
                     avatar: PrettyText.avatar_img(topic.user.avatar_template, 'tiny'),
                     posts_count: topic.posts_count,
                     last_post: FreedomPatches::Rails4.time_ago_in_words(topic.last_posted_at, false, scope: :'datetime.distance_in_words_verbose'),