mirror of
https://github.com/discourse/discourse.git
synced 2025-02-21 19:55:43 +00:00
XSS: Topic links needed sanitization
This commit is contained in:
parent
f3135533c2
commit
6f8888d405
@ -38,7 +38,10 @@ export default Em.Component.extend({
|
||||
|
||||
buffer.push("<li><a href='" + Em.get(l, 'url') + "' class='track-link'>");
|
||||
buffer.push("<i class='fa fa-arrow-" + direction + "'></i>");
|
||||
buffer.push(Em.get(l, 'title'));
|
||||
var title = Em.get(l, 'title');
|
||||
if (!Em.isEmpty(title)) {
|
||||
buffer.push(Handlebars.Utils.escapeExpression(title));
|
||||
}
|
||||
if (clicks) {
|
||||
buffer.push("<span class='badge badge-notification clicks'>" + clicks + "</span>");
|
||||
}
|
||||
|
@ -403,7 +403,7 @@ Discourse.Composer = Discourse.Model.extend({
|
||||
var topic = this.get('topic');
|
||||
topic.setProperties({
|
||||
title: this.get('title'),
|
||||
fancy_title: this.get('title'),
|
||||
fancy_title: Handlebars.Utils.escapeExpression(this.get('title')),
|
||||
category_id: parseInt(this.get('categoryId'), 10)
|
||||
});
|
||||
topic.save();
|
||||
|
Loading…
x
Reference in New Issue
Block a user