From 629bb8adf2f4e96ef69e2f975f6860ad4fbe204b Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Tue, 9 Jul 2019 15:45:03 -0400 Subject: [PATCH] SECURITY: XSS with title selector on preferences page Note this is very low severity as the group needs to be created with a default title that contains HTML, and group creation is restricted to staff members right now. --- app/assets/javascripts/discourse/models/user.js.es6 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/models/user.js.es6 b/app/assets/javascripts/discourse/models/user.js.es6 index fee74ec56b8..9beef8e18cd 100644 --- a/app/assets/javascripts/discourse/models/user.js.es6 +++ b/app/assets/javascripts/discourse/models/user.js.es6 @@ -748,7 +748,9 @@ const User = RestModel.extend({ } }); - return _.uniq(titles).sort(); + return _.uniq(titles) + .sort() + .map(Ember.Handlebars.Utils.escapeExpression); }, @computed("user_option.text_size_seq", "user_option.text_size")