SECURITY: properly escape user input

This would only cause an issue with CSP disabled.
2022-01-05 09:41:17 +01:00 · 2022-01-05 09:41:17 +01:00 · bd83fb0625
parent 3adf5b8300
commit bd83fb0625
1 changed files with 28 additions and 25 deletions
--- a/javascripts/discourse/initializers/setup.js.es6
+++ b/javascripts/discourse/initializers/setup.js.es6
@ -1,3 +1,4 @@
+import { escapeExpression } from "discourse/lib/utilities";
 import showModal from "discourse/lib/show-modal";
 import { withPluginApi } from "discourse/lib/plugin-api";
 import { later, debounce } from "@ember/runloop";
@ -46,14 +47,14 @@ function buildSelect(key, placeholder) {
  if (placeholder.description) {
    addSelectOption(select, {
      value: "none",
-      description: placeholder.description
+      description: placeholder.description,
    });
  }

-  placeholder.defaults.forEach(value =>
+  placeholder.defaults.forEach((value) =>
    addSelectOption(select, {
      value,
-      selected: placeholder.default === value
+      selected: placeholder.default === value,
    })
  );

@ -64,7 +65,7 @@ export default {
  name: "discourse-placeholder-theme-component",

  initialize() {
-    withPluginApi("0.8.7", api => {
+    withPluginApi("0.8.7", (api) => {
      api.decorateCooked(
        ($cooked, postWidget) => {
          if (!postWidget) return;
@ -74,9 +75,9 @@ export default {
          const placeholders = {};

          function processChange(inputEvent) {
-            const value = inputEvent.target.value;
+            const value = escapeExpression(inputEvent.target.value);
            const key = inputEvent.target.dataset.key;
-            const placeholder = placeholders[inputEvent.target.dataset.key];
+            const placeholder = placeholders[key];
            const placeholderIdentifier = `${postIdentifier}${key}`;

            if (value) {
@ -103,7 +104,7 @@ export default {
              let replaced = false;
              let newInnnerHTML = elem.innerHTML;

-              mapping.forEach(m => {
+              mapping.forEach((m) => {
                if (
                  m.pattern !==
                  `${placeholder.delimiter}${key}${placeholder.delimiter}`
@ -136,7 +137,7 @@ export default {

            const keys = Object.keys(placeholders);
            const pattern = keys
-              .map(key => {
+              .map((key) => {
                const placeholder = placeholders[key];
                return `(${placeholder.delimiter}${key}${placeholder.delimiter})`;
              })
@ -152,7 +153,7 @@ export default {
                mappings[index].push({
                  pattern: match[0],
                  position: match.index,
-                  length: match[0].length
+                  length: match[0].length,
                });
              }
            });
@ -163,7 +164,7 @@ export default {
              processPlaceholders(placeholders, $cooked, mappings);

              // trigger fake event to setup initial state
-              Object.keys(placeholders).forEach(placeholderKey => {
+              Object.keys(placeholders).forEach((placeholderKey) => {
                const placeholder = placeholders[placeholderKey];
                const placeholderIdentifier = `${postIdentifier}${placeholderKey}`;
                const value =
@ -171,12 +172,12 @@ export default {

                processChange({
                  target: {
-                    value,
+                    value: escapeExpression(value),
                    dataset: {
                      key: placeholderKey,
-                      delimiter: placeholder.delimiter
-                    }
-                  }
+                      delimiter: placeholder.delimiter,
+                    },
+                  },
                });
              });
            }
@ -186,13 +187,15 @@ export default {
            ".d-wrap[data-wrap=placeholder]:not(.placeholdered)"
          );

-          placeholderNodes.forEach(elem => {
+          placeholderNodes.forEach((elem) => {
            const dataKey = elem.dataset.key;

            if (!dataKey) return;

            const placeholderIdentifier = `${postIdentifier}${dataKey}`;
-            const valueFromCookie = cookie(placeholderIdentifier);
+            const valueFromCookie = escapeExpression(
+              cookie(placeholderIdentifier)
+            );
            const defaultValues = (elem.dataset.defaults || "")
              .split(",")
              .filter(Boolean);
@ -201,7 +204,7 @@ export default {
              default: valueFromCookie || elem.dataset.default,
              defaults: defaultValues,
              delimiter: elem.dataset.delimiter || DELIMITER,
-              description: elem.dataset.description
+              description: elem.dataset.description,
            };

            const span = document.createElement("span");
@ -225,10 +228,10 @@ export default {
          });

          $cooked
-            .on("input", ".discourse-placeholder-value", inputEvent =>
+            .on("input", ".discourse-placeholder-value", (inputEvent) =>
              debounce(this, processChange, inputEvent, 150)
            )
-            .on("change", ".discourse-placeholder-select", inputEvent =>
+            .on("change", ".discourse-placeholder-select", (inputEvent) =>
              debounce(this, processChange, inputEvent, 150)
            );

@ -241,7 +244,7 @@ export default {
        return {
          action: "insertPlaceholder",
          icon: "file",
-          label: themePrefix("toolbar.builder")
+          label: themePrefix("toolbar.builder"),
        };
      });

@ -252,12 +255,12 @@ export default {
          insertPlaceholder() {
            showModal("discourse-placeholder-builder", {
              model: {
-                toolbarEvent: this.toolbarEvent
-              }
+                toolbarEvent: this.toolbarEvent,
+              },
            });
-          }
-        }
+          },
+        },
      });
    });
-  }
+  },
 };