SECURITY: XSS Protection on Queued Posts

app/assets/javascripts/discourse/helpers/cook-text.js.es6

@@ -1,6 +1,6 @@
 import registerUnbound from 'discourse/helpers/register-unbound';
 
 registerUnbound('cook-text', function(text) {
-  return new Handlebars.SafeString(Discourse.Markdown.cook(text));
+  return new Handlebars.SafeString(Discourse.Markdown.cook(text, {sanitize: true}));
 });
 

app/assets/javascripts/discourse/routes/queued-posts.js.es6

@@ -1,6 +1,13 @@
+import loadScript from 'discourse/lib/load-script';
 import DiscourseRoute from 'discourse/routes/discourse';
 
 export default DiscourseRoute.extend({
+
+  // this route requires the sanitizer
+  beforeModel() {
+    loadScript('defer/html-sanitizer-bundle');
+  },
+
   model() {
     return this.store.find('queuedPost', {status: 'new'});
   },