Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: prevent XSS when showing diffs

This commit is contained in:
Régis Hanol 2018-04-16 15:46:32 +02:00
parent 001b0710c7
commit 4fb41663b3
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/assets/javascripts/discourse/controllers/history.js.es6
View File

@ -3,6 +3,8 @@ import { categoryBadgeHTML } from 'discourse/helpers/category-link';
import computed from 'ember-addons/ember-computed-decorators';
import { propertyGreaterThan, propertyLessThan } from 'discourse/lib/computed';
import { on } from 'ember-addons/ember-computed-decorators';
import { default as WhiteLister } from 'pretty-text/white-lister';
import { sanitize } from 'pretty-text/sanitizer';
function customTagArray(fieldName) {
return function() {
@ -187,7 +189,14 @@ export default Ember.Controller.extend(ModalFunctionality, {
@computed('viewMode', 'model.body_changes')
bodyDiff(viewMode) {
return this.get("model.body_changes." + viewMode);
const html = this.get(`model.body_changes.${viewMode}`);
if (viewMode === "side_by_side_markdown") {
return html;
} else {
const whiteLister = new WhiteLister({ features: { editHistory: true }});
whiteLister.whiteListFeature("editHistory", { custom: () => true });
return sanitize(html, whiteLister);
}
},
actions: {