SECURITY: Remove XSS in composer preview when applying image scale buttons.

2019-04-08 11:20:28 +08:00 · 2019-04-08 11:20:28 +08:00 · 33fa249fa5
parent 13c6bf54d0
commit 33fa249fa5
2 changed files with 22 additions and 8 deletions
--- a/app/assets/javascripts/discourse/components/composer-editor.js.es6
+++ b/app/assets/javascripts/discourse/components/composer-editor.js.es6
@ -878,15 +878,13 @@ export default Ember.Component.extend({
    if ($preview.find(".codeblock-image").length === 0) {
      this.$(".d-editor-preview *")
        .contents()
-        .filter(function() {
-          return this.nodeType === 3; // TEXT_NODE
-        })
        .each(function() {
-          $(this).replaceWith(
-            $(this)
-              .text()
-              .replace(imageScaleRegex, "<span class='codeblock-image'>$&</a>")
-          );
+          if (this.nodeType !== 3) return; // TEXT_NODE
+          const $this = $(this);
+
+          if ($this.text().match(imageScaleRegex)) {
+            $this.wrap("<span class='codeblock-image'></span>");
+          }
        });
    }

--- a/test/javascripts/acceptance/composer-test.js.es6
+++ b/test/javascripts/acceptance/composer-test.js.es6
@ -754,4 +754,20 @@ QUnit.test("Image resizing buttons", async assert => {
  uploads[9] = "![identicalImage|300x300,75%](upload://identicalImage.png)";
  await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]);
  assertImageResized(assert, uploads);
+
+  await fillIn(
+    ".d-editor-input",
+    `
+![test|690x313](upload://test.png)
+
+\`<script>alert("xss")</script>\`
+    `
+  );
+
+  await triggerEvent($(".d-editor-preview img"), "mouseover");
+
+  assert.ok(
+    find("script").length === 0,
+    "it does not unescapes script tags in code blocks"
+  );
 });