Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: A user could XSS themselves on their preference page

This commit is contained in:
Robin Ward 2015-10-20 12:09:59 -04:00
parent e08c9b8c49
commit 0428bacfa9
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/components/d-editor.js.es6
View File

@ -29,7 +29,7 @@ export default Ember.Component.extend({
preview(ready, value) { preview(ready, value) {
if (!ready) { return; } if (!ready) { return; }
const text = Discourse.Dialect.cook(value || "", {}); const text = Discourse.Dialect.cook(value || "", {sanitize: true});
return text ? text : ""; return text ? text : "";
}, },

11
test/javascripts/components/d-editor-test.js.es6
View File

@ -19,6 +19,17 @@ componentTest('preview updates with markdown', {
} }
}); });
componentTest('preview sanitizes HTML', {
template: '{{d-editor value=value}}',
test(assert) {
this.set('value', `"><svg onload="prompt(/xss/)"></svg>`);
andThen(() => {
assert.equal(this.$('.d-editor-preview').html().trim(), '<p>\"&gt;</p>');
});
}
});
componentTest('updating the value refreshes the preview', { componentTest('updating the value refreshes the preview', {
template: '{{d-editor value=value}}', template: '{{d-editor value=value}}',