Discource-C
/
discourse-placeholder-theme-component
mirror of https://github.com/discourse/discourse-placeholder-theme-component.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: properly escape user input (#38) 

We were failing to correctly escape content which we would then inject in the HTML of the post causing an XSS.

Note this XSS is stopped by CSP.
This commit is contained in:
Joffrey JAFFEUX 2024-08-20 18:06:58 +02:00 committed by GitHub
parent 57045bc9e5
commit a62f711d56
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
javascripts/discourse/initializers/setup.js
View File

@ -1,5 +1,6 @@
import { debounce, later } from "@ember/runloop";
import { withPluginApi } from "discourse/lib/plugin-api";
import { escapeExpression } from "discourse/lib/utilities";
import DiscoursePlaceholderBuilder from "../components/modal/discourse-placeholder-builder";
const VALID_TAGS =
@ -135,6 +136,8 @@ export default {
newValue = `${placeholder.delimiter}${key}${placeholder.delimiter}`;
}
newValue = escapeExpression(newValue);
cooked.querySelectorAll(VALID_TAGS).forEach((elem, index) => {
const mapping = mappings[index];