github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-15 18:23:39 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: 2 XSSs in post gutter and local oneboxes

Browse Source
This commit is contained in:
Régis Hanol 2016-05-14 00:08:19 +02:00
parent 47e932159e
commit 6dfd8ed47e
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/widgets/post-gutter.js.es6
View File

@ -28,7 +28,7 @@ export default createWidget('post-gutter', {
seenTitles[title] = true; seenTitles[title] = true;
titleCount++; titleCount++;
if (result.length < toShow) { if (result.length < toShow) {
const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(title)}</span>`})]; const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(title))}</span>`})];
if (l.clicks) { if (l.clicks) {
linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString())); linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString()));
} }

2
lib/onebox/engine/discourse_local_onebox.rb
View File

@ -93,7 +93,7 @@ module Onebox
quote = post.excerpt(SiteSetting.post_onebox_maxlength) quote = post.excerpt(SiteSetting.post_onebox_maxlength)
args = { original_url: url, args = { original_url: url,
title: PrettyText.unescape_emoji(topic.title), title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
avatar: PrettyText.avatar_img(topic.user.avatar_template, 'tiny'), avatar: PrettyText.avatar_img(topic.user.avatar_template, 'tiny'),
posts_count: topic.posts_count, posts_count: topic.posts_count,
last_post: FreedomPatches::Rails4.time_ago_in_words(topic.last_posted_at, false, scope: :'datetime.distance_in_words_verbose'), last_post: FreedomPatches::Rails4.time_ago_in_words(topic.last_posted_at, false, scope: :'datetime.distance_in_words_verbose'),