From b17908fab15709bf80f64621f34b27d6f2c16d2e Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Fri, 5 Aug 2016 12:01:16 -0400 Subject: [PATCH] SECURITY: XSS issue on Admin users list --- .../admin/templates/users-list-show.hbs | 6 ++-- .../discourse/controllers/login.js.es6 | 6 ++-- .../templates/modal/not-activated.hbs | 2 +- app/services/user_activator.rb | 2 +- spec/services/user_activator_spec.rb | 10 +++++++ .../acceptance/admin-users-list-test.js.es6 | 11 ++++++++ .../acceptance/sign-in-test.js.es6 | 28 +++++++++++++++++-- .../helpers/create-pretender.js.es6 | 17 +++++++++++ 8 files changed, 72 insertions(+), 10 deletions(-) create mode 100644 test/javascripts/acceptance/admin-users-list-test.js.es6 diff --git a/app/assets/javascripts/admin/templates/users-list-show.hbs b/app/assets/javascripts/admin/templates/users-list-show.hbs index 2c962574f97..3d43a4aa180 100644 --- a/app/assets/javascripts/admin/templates/users-list-show.hbs +++ b/app/assets/javascripts/admin/templates/users-list-show.hbs @@ -21,7 +21,7 @@ {{#conditional-loading-spinner condition=refreshing}} {{#if model}} - +
{{#if showApproval}} @@ -42,7 +42,7 @@ {{#each user in model}} - + {{#if controller.showApproval}} - + diff --git a/app/assets/javascripts/discourse/controllers/login.js.es6 b/app/assets/javascripts/discourse/controllers/login.js.es6 index cd81f119c01..84a91034118 100644 --- a/app/assets/javascripts/discourse/controllers/login.js.es6 +++ b/app/assets/javascripts/discourse/controllers/login.js.es6 @@ -63,11 +63,11 @@ export default Ember.Controller.extend(ModalFunctionality, { // Successful login if (result.error) { self.set('loggingIn', false); - if( result.reason === 'not_activated' ) { + if (result.reason === 'not_activated') { self.send('showNotActivated', { username: self.get('loginName'), - sentTo: result.sent_to_email, - currentEmail: result.current_email + sentTo: escape(result.sent_to_email), + currentEmail: escape(result.current_email) }); } else if (result.reason === 'suspended' ) { self.send("closeModal"); diff --git a/app/assets/javascripts/discourse/templates/modal/not-activated.hbs b/app/assets/javascripts/discourse/templates/modal/not-activated.hbs index f8df2639e9d..9d6620cbca6 100644 --- a/app/assets/javascripts/discourse/templates/modal/not-activated.hbs +++ b/app/assets/javascripts/discourse/templates/modal/not-activated.hbs @@ -3,7 +3,7 @@ {{{i18n 'login.sent_activation_email_again' currentEmail=currentEmail}}} {{else}} {{{i18n 'login.not_activated' sentTo=sentTo}}} - {{i18n 'login.resend_activation_email'}} + {{i18n 'login.resend_activation_email'}} {{/if}}
{{input type="checkbox" checked=selectAll}}
{{#if user.can_approve}} @@ -52,7 +52,7 @@ {{/if}} {{avatar user imageSize="small"}} {{#link-to 'adminUser' user}}{{unbound user.username}}{{/link-to}}{{{unbound user.email}}} {{{unbound user.last_emailed_age}}} {{{unbound user.last_seen_age}}} {{{unbound user.topics_entered}}}