From 3374457c447992a4f4c0249f554eeede5151aeb6 Mon Sep 17 00:00:00 2001
From: Blake Erickson <o.blakeerickson@gmail.com>
Date: Fri, 10 Feb 2023 09:09:26 -0700
Subject: [PATCH] SECURITY: Fix XSS in full name composer reply

We are using htmlSafe when rendering the name field so we need to escape
any html being passed in.
---
 .../discourse/app/components/composer-action-title.js       | 5 ++++-
 .../discourse/tests/acceptance/composer-actions-test.js     | 6 +++---
 app/assets/javascripts/discourse/tests/fixtures/topic.js    | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/assets/javascripts/discourse/app/components/composer-action-title.js b/app/assets/javascripts/discourse/app/components/composer-action-title.js
index b4c35e6c9ea..5e863b09959 100644
--- a/app/assets/javascripts/discourse/app/components/composer-action-title.js
+++ b/app/assets/javascripts/discourse/app/components/composer-action-title.js
@@ -12,6 +12,7 @@ import { alias } from "@ember/object/computed";
 import discourseComputed from "discourse-common/utils/decorators";
 import { iconHTML } from "discourse-common/lib/icon-library";
 import { htmlSafe } from "@ember/template";
+import { escape } from "pretty-text/sanitizer";
 
 const TITLES = {
   [PRIVATE_MESSAGE]: "topic.private_message",
@@ -84,7 +85,9 @@ export default Component.extend({
   },
 
   _formatReplyToUserPost(avatar, link) {
-    const htmlLink = `<a class="user-link" href="${link.href}">${link.anchor}</a>`;
+    const htmlLink = `<a class="user-link" href="${link.href}">${escape(
+      link.anchor
+    )}</a>`;
     return htmlSafe(`${avatar}${htmlLink}`);
   },
 });
diff --git a/app/assets/javascripts/discourse/tests/acceptance/composer-actions-test.js b/app/assets/javascripts/discourse/tests/acceptance/composer-actions-test.js
index 35804af7099..dcd0adea595 100644
--- a/app/assets/javascripts/discourse/tests/acceptance/composer-actions-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/composer-actions-test.js
@@ -518,11 +518,11 @@ acceptance("Prioritize Full Name", function (needs) {
 
   test("Reply to post use full name", async function (assert) {
     await visit("/t/short-topic-with-two-posts/54079");
-    await click("article#post_2 button.reply");
+    await click("article#post_3 button.reply");
 
     assert.strictEqual(
-      query(".action-title .user-link").innerText.trim(),
-      "james, john, the third"
+      query(".action-title .user-link").innerHTML.trim(),
+      "&lt;h1&gt;Tim Stone&lt;/h1&gt;"
     );
   });
 
diff --git a/app/assets/javascripts/discourse/tests/fixtures/topic.js b/app/assets/javascripts/discourse/tests/fixtures/topic.js
index fa37c17c5c0..bbefba6ead5 100644
--- a/app/assets/javascripts/discourse/tests/fixtures/topic.js
+++ b/app/assets/javascripts/discourse/tests/fixtures/topic.js
@@ -6497,7 +6497,7 @@ export default {
         },
         {
           id: 419,
-          name: "Tim Stone",
+          name: "<h1>Tim Stone</h1>",
           username: "tms",
           avatar_template: "/letter_avatar_proxy/v4/letter/t/3be4f8/{size}.png",
           uploaded_avatar_id: 40181,