SECURITY: Escape HTML in dashboard report tables
This commit is contained in:
parent
68173cd234
commit
5c9426be48
|
@ -333,7 +333,7 @@ const Report = Discourse.Model.extend({
|
||||||
const formatedValue = () => {
|
const formatedValue = () => {
|
||||||
const topicId = row[properties.id];
|
const topicId = row[properties.id];
|
||||||
const href = Discourse.getURL(`/t/-/${topicId}`);
|
const href = Discourse.getURL(`/t/-/${topicId}`);
|
||||||
return `<a href='${href}'>${topicTitle}</a>`;
|
return `<a href='${href}'>${escapeExpression(topicTitle)}</a>`;
|
||||||
};
|
};
|
||||||
|
|
||||||
return {
|
return {
|
||||||
|
@ -352,7 +352,7 @@ const Report = Discourse.Model.extend({
|
||||||
property: properties.title,
|
property: properties.title,
|
||||||
value: postTitle,
|
value: postTitle,
|
||||||
formatedValue:
|
formatedValue:
|
||||||
postTitle && href ? `<a href='${href}'>${postTitle}</a>` : "—"
|
postTitle && href ? `<a href='${href}'>${escapeExpression(postTitle)}</a>` : "—"
|
||||||
};
|
};
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -402,9 +402,9 @@ QUnit.test("computed labels", assert => {
|
||||||
time_read: 287362,
|
time_read: 287362,
|
||||||
note: "This is a long note",
|
note: "This is a long note",
|
||||||
topic_id: 2,
|
topic_id: 2,
|
||||||
topic_title: "Test topic",
|
topic_title: "Test topic <html>",
|
||||||
post_number: 3,
|
post_number: 3,
|
||||||
post_raw: "This is the beginning of",
|
post_raw: "This is the beginning of <html>",
|
||||||
filesize: 582641
|
filesize: 582641
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -502,9 +502,9 @@ QUnit.test("computed labels", assert => {
|
||||||
const computedTopicLabel = topicLabel.compute(row);
|
const computedTopicLabel = topicLabel.compute(row);
|
||||||
assert.equal(
|
assert.equal(
|
||||||
computedTopicLabel.formatedValue,
|
computedTopicLabel.formatedValue,
|
||||||
"<a href='/t/-/2'>Test topic</a>"
|
"<a href='/t/-/2'>Test topic <html></a>"
|
||||||
);
|
);
|
||||||
assert.equal(computedTopicLabel.value, "Test topic");
|
assert.equal(computedTopicLabel.value, "Test topic <html>");
|
||||||
|
|
||||||
const postLabel = computedLabels[5];
|
const postLabel = computedLabels[5];
|
||||||
assert.equal(postLabel.mainProperty, "post_raw");
|
assert.equal(postLabel.mainProperty, "post_raw");
|
||||||
|
@ -514,9 +514,9 @@ QUnit.test("computed labels", assert => {
|
||||||
const computedPostLabel = postLabel.compute(row);
|
const computedPostLabel = postLabel.compute(row);
|
||||||
assert.equal(
|
assert.equal(
|
||||||
computedPostLabel.formatedValue,
|
computedPostLabel.formatedValue,
|
||||||
"<a href='/t/-/2/3'>This is the beginning of</a>"
|
"<a href='/t/-/2/3'>This is the beginning of <html></a>"
|
||||||
);
|
);
|
||||||
assert.equal(computedPostLabel.value, "This is the beginning of");
|
assert.equal(computedPostLabel.value, "This is the beginning of <html>");
|
||||||
|
|
||||||
const filesizeLabel = computedLabels[6];
|
const filesizeLabel = computedLabels[6];
|
||||||
assert.equal(filesizeLabel.mainProperty, "filesize");
|
assert.equal(filesizeLabel.mainProperty, "filesize");
|
||||||
|
@ -533,11 +533,11 @@ QUnit.test("computed labels", assert => {
|
||||||
const postLink = computedLabels[5].compute(row).formatedValue;
|
const postLink = computedLabels[5].compute(row).formatedValue;
|
||||||
assert.equal(
|
assert.equal(
|
||||||
postLink,
|
postLink,
|
||||||
"<a href='/forum/t/-/2/3'>This is the beginning of</a>"
|
"<a href='/forum/t/-/2/3'>This is the beginning of <html></a>"
|
||||||
);
|
);
|
||||||
|
|
||||||
const topicLink = computedLabels[4].compute(row).formatedValue;
|
const topicLink = computedLabels[4].compute(row).formatedValue;
|
||||||
assert.equal(topicLink, "<a href='/forum/t/-/2'>Test topic</a>");
|
assert.equal(topicLink, "<a href='/forum/t/-/2'>Test topic <html></a>");
|
||||||
|
|
||||||
const userLink = computedLabels[0].compute(row).formatedValue;
|
const userLink = computedLabels[0].compute(row).formatedValue;
|
||||||
assert.equal(
|
assert.equal(
|
||||||
|
|
Loading…
Reference in New Issue