SECURITY: fix XSS using fancy mention hack

This commit is contained in:
Sam 2014-07-25 17:26:57 +10:00
parent ae686e8188
commit 1d1dd43e27
1 changed files with 2 additions and 0 deletions

View File

@ -23,6 +23,8 @@ export default Discourse.ObjectController.extend({
showMoreBadges: Em.computed.gt('moreBadgesCount', 0), showMoreBadges: Em.computed.gt('moreBadgesCount', 0),
show: function(username, uploadedAvatarId) { show: function(username, uploadedAvatarId) {
// XSS protection (should be encapsulated)
username = username.replace(/[^A-Za-z0-9_]/g, "");
var url = "/users/" + username; var url = "/users/" + username;
// Don't show on mobile // Don't show on mobile