From 33fa249fa5193b7cdb4d515ffad3a249eba38c9c Mon Sep 17 00:00:00 2001
From: Guo Xiang Tan <tgx_world@hotmail.com>
Date: Mon, 8 Apr 2019 11:20:28 +0800
Subject: [PATCH] SECURITY: Remove XSS in composer preview when applying image
 scale buttons.

---
 .../discourse/components/composer-editor.js.es6  | 14 ++++++--------
 test/javascripts/acceptance/composer-test.js.es6 | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/app/assets/javascripts/discourse/components/composer-editor.js.es6 b/app/assets/javascripts/discourse/components/composer-editor.js.es6
index c73d3647b44..e477d520e2b 100644
--- a/app/assets/javascripts/discourse/components/composer-editor.js.es6
+++ b/app/assets/javascripts/discourse/components/composer-editor.js.es6
@@ -878,15 +878,13 @@ export default Ember.Component.extend({
     if ($preview.find(".codeblock-image").length === 0) {
       this.$(".d-editor-preview *")
         .contents()
-        .filter(function() {
-          return this.nodeType === 3; // TEXT_NODE
-        })
         .each(function() {
-          $(this).replaceWith(
-            $(this)
-              .text()
-              .replace(imageScaleRegex, "<span class='codeblock-image'>$&</a>")
-          );
+          if (this.nodeType !== 3) return; // TEXT_NODE
+          const $this = $(this);
+
+          if ($this.text().match(imageScaleRegex)) {
+            $this.wrap("<span class='codeblock-image'></span>");
+          }
         });
     }
 
diff --git a/test/javascripts/acceptance/composer-test.js.es6 b/test/javascripts/acceptance/composer-test.js.es6
index e205592ad7f..cc8b5e12b35 100644
--- a/test/javascripts/acceptance/composer-test.js.es6
+++ b/test/javascripts/acceptance/composer-test.js.es6
@@ -754,4 +754,20 @@ QUnit.test("Image resizing buttons", async assert => {
   uploads[9] = "![identicalImage|300x300,75%](upload://identicalImage.png)";
   await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]);
   assertImageResized(assert, uploads);
+
+  await fillIn(
+    ".d-editor-input",
+    `
+![test|690x313](upload://test.png)
+
+\`<script>alert("xss")</script>\`
+    `
+  );
+
+  await triggerEvent($(".d-editor-preview img"), "mouseover");
+
+  assert.ok(
+    find("script").length === 0,
+    "it does not unescapes script tags in code blocks"
+  );
 });