From 6dfd8ed47e1b55c1a1980fd3fa43348cbd99e398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Sat, 14 May 2016 00:08:19 +0200 Subject: [PATCH] SECURITY: 2 XSSs in post gutter and local oneboxes --- app/assets/javascripts/discourse/widgets/post-gutter.js.es6 | 2 +- lib/onebox/engine/discourse_local_onebox.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6 b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6 index 61d7f973e0f..ac03b0117e3 100644 --- a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6 +++ b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6 @@ -28,7 +28,7 @@ export default createWidget('post-gutter', { seenTitles[title] = true; titleCount++; if (result.length < toShow) { - const linkBody = [new RawHtml({html: `${Discourse.Emoji.unescape(title)}`})]; + const linkBody = [new RawHtml({html: `${Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(title))}`})]; if (l.clicks) { linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString())); } diff --git a/lib/onebox/engine/discourse_local_onebox.rb b/lib/onebox/engine/discourse_local_onebox.rb index 9ac748e27fd..811d669b1c0 100644 --- a/lib/onebox/engine/discourse_local_onebox.rb +++ b/lib/onebox/engine/discourse_local_onebox.rb @@ -93,7 +93,7 @@ module Onebox quote = post.excerpt(SiteSetting.post_onebox_maxlength) args = { original_url: url, - title: PrettyText.unescape_emoji(topic.title), + title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)), avatar: PrettyText.avatar_img(topic.user.avatar_template, 'tiny'), posts_count: topic.posts_count, last_post: FreedomPatches::Rails4.time_ago_in_words(topic.last_posted_at, false, scope: :'datetime.distance_in_words_verbose'),