XSS: Topic links needed sanitization

This commit is contained in:
Robin Ward 2014-06-14 12:53:48 -04:00
parent f3135533c2
commit 6f8888d405
2 changed files with 5 additions and 2 deletions

View File

@ -38,7 +38,10 @@ export default Em.Component.extend({
buffer.push("<li><a href='" + Em.get(l, 'url') + "' class='track-link'>");
buffer.push("<i class='fa fa-arrow-" + direction + "'></i>");
buffer.push(Em.get(l, 'title'));
var title = Em.get(l, 'title');
if (!Em.isEmpty(title)) {
buffer.push(Handlebars.Utils.escapeExpression(title));
}
if (clicks) {
buffer.push("<span class='badge badge-notification clicks'>" + clicks + "</span>");
}

View File

@ -403,7 +403,7 @@ Discourse.Composer = Discourse.Model.extend({
var topic = this.get('topic');
topic.setProperties({
title: this.get('title'),
fancy_title: this.get('title'),
fancy_title: Handlebars.Utils.escapeExpression(this.get('title')),
category_id: parseInt(this.get('categoryId'), 10)
});
topic.save();