XSS fix for category descriptions

This commit is contained in:
Robin Ward 2013-04-01 12:01:27 -04:00
parent 4c5ab8d688
commit e4d190d856

View File

@ -39,19 +39,18 @@ Discourse.Utilities = {
// Create a badge like category link
categoryLink: function(category) {
var color, textColor, name, description, result;
if (!category) return "";
color = Em.get(category, 'color');
textColor = Em.get(category, 'text_color');
name = Em.get(category, 'name');
description = Em.get(category, 'description');
var color = Em.get(category, 'color');
var textColor = Em.get(category, 'text_color');
var name = Em.get(category, 'name');
var description = Em.get(category, 'description');
// Build the HTML link
result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
var result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
// Add description if we have it
if (description) result += "title=\"" + description + "\" ";
if (description) result += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";
return result + "style=\"background-color: #" + color + "; color: #" + textColor + ";\">" + name + "</a>";
},