SECURITY: Escape HTML in dashboard report tables

This commit is contained in:
David Taylor 2019-02-01 13:10:59 +00:00
parent 68173cd234
commit 5c9426be48
2 changed files with 10 additions and 10 deletions

View File

@ -333,7 +333,7 @@ const Report = Discourse.Model.extend({
const formatedValue = () => { const formatedValue = () => {
const topicId = row[properties.id]; const topicId = row[properties.id];
const href = Discourse.getURL(`/t/-/${topicId}`); const href = Discourse.getURL(`/t/-/${topicId}`);
return `<a href='${href}'>${topicTitle}</a>`; return `<a href='${href}'>${escapeExpression(topicTitle)}</a>`;
}; };
return { return {
@ -352,7 +352,7 @@ const Report = Discourse.Model.extend({
property: properties.title, property: properties.title,
value: postTitle, value: postTitle,
formatedValue: formatedValue:
postTitle && href ? `<a href='${href}'>${postTitle}</a>` : "—" postTitle && href ? `<a href='${href}'>${escapeExpression(postTitle)}</a>` : "—"
}; };
}, },

View File

@ -402,9 +402,9 @@ QUnit.test("computed labels", assert => {
time_read: 287362, time_read: 287362,
note: "This is a long note", note: "This is a long note",
topic_id: 2, topic_id: 2,
topic_title: "Test topic", topic_title: "Test topic <html>",
post_number: 3, post_number: 3,
post_raw: "This is the beginning of", post_raw: "This is the beginning of <html>",
filesize: 582641 filesize: 582641
} }
]; ];
@ -502,9 +502,9 @@ QUnit.test("computed labels", assert => {
const computedTopicLabel = topicLabel.compute(row); const computedTopicLabel = topicLabel.compute(row);
assert.equal( assert.equal(
computedTopicLabel.formatedValue, computedTopicLabel.formatedValue,
"<a href='/t/-/2'>Test topic</a>" "<a href='/t/-/2'>Test topic &lt;html&gt;</a>"
); );
assert.equal(computedTopicLabel.value, "Test topic"); assert.equal(computedTopicLabel.value, "Test topic <html>");
const postLabel = computedLabels[5]; const postLabel = computedLabels[5];
assert.equal(postLabel.mainProperty, "post_raw"); assert.equal(postLabel.mainProperty, "post_raw");
@ -514,9 +514,9 @@ QUnit.test("computed labels", assert => {
const computedPostLabel = postLabel.compute(row); const computedPostLabel = postLabel.compute(row);
assert.equal( assert.equal(
computedPostLabel.formatedValue, computedPostLabel.formatedValue,
"<a href='/t/-/2/3'>This is the beginning of</a>" "<a href='/t/-/2/3'>This is the beginning of &lt;html&gt;</a>"
); );
assert.equal(computedPostLabel.value, "This is the beginning of"); assert.equal(computedPostLabel.value, "This is the beginning of <html>");
const filesizeLabel = computedLabels[6]; const filesizeLabel = computedLabels[6];
assert.equal(filesizeLabel.mainProperty, "filesize"); assert.equal(filesizeLabel.mainProperty, "filesize");
@ -533,11 +533,11 @@ QUnit.test("computed labels", assert => {
const postLink = computedLabels[5].compute(row).formatedValue; const postLink = computedLabels[5].compute(row).formatedValue;
assert.equal( assert.equal(
postLink, postLink,
"<a href='/forum/t/-/2/3'>This is the beginning of</a>" "<a href='/forum/t/-/2/3'>This is the beginning of &lt;html&gt;</a>"
); );
const topicLink = computedLabels[4].compute(row).formatedValue; const topicLink = computedLabels[4].compute(row).formatedValue;
assert.equal(topicLink, "<a href='/forum/t/-/2'>Test topic</a>"); assert.equal(topicLink, "<a href='/forum/t/-/2'>Test topic &lt;html&gt;</a>");
const userLink = computedLabels[0].compute(row).formatedValue; const userLink = computedLabels[0].compute(row).formatedValue;
assert.equal( assert.equal(