From a62f711d5600e4e5d86f342d52932cb6221672e7 Mon Sep 17 00:00:00 2001
From: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Date: Tue, 20 Aug 2024 18:06:58 +0200
Subject: [PATCH] SECURITY: properly escape user input (#38)

We were failing to correctly escape content which we would then inject in the HTML of the post causing an XSS.

Note this XSS is stopped by CSP.
---
 javascripts/discourse/initializers/setup.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javascripts/discourse/initializers/setup.js b/javascripts/discourse/initializers/setup.js
index 1d7d086..0634c98 100644
--- a/javascripts/discourse/initializers/setup.js
+++ b/javascripts/discourse/initializers/setup.js
@@ -1,5 +1,6 @@
 import { debounce, later } from "@ember/runloop";
 import { withPluginApi } from "discourse/lib/plugin-api";
+import { escapeExpression } from "discourse/lib/utilities";
 import DiscoursePlaceholderBuilder from "../components/modal/discourse-placeholder-builder";
 
 const VALID_TAGS =
@@ -135,6 +136,8 @@ export default {
               newValue = `${placeholder.delimiter}${key}${placeholder.delimiter}`;
             }
 
+            newValue = escapeExpression(newValue);
+
             cooked.querySelectorAll(VALID_TAGS).forEach((elem, index) => {
               const mapping = mappings[index];