Discource-C/discourse
1
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-20 18:58:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: XSS in poll errors dialog

Browse Source
This commit is contained in:
riking 2015-05-08 19:28:04 -07:00
parent 940fa5b572
commit 7238c43018
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/poll/plugin.rb
View File

@ -220,7 +220,7 @@ after_initialize do
if polls.has_key?(poll["name"])
poll["name"] == DEFAULT_POLL_NAME ?
self.errors.add(:base, I18n.t("poll.multiple_polls_without_name")) :
self.errors.add(:base, I18n.t("poll.multiple_polls_with_same_name", name: poll["name"]))
self.errors.add(:base, I18n.t("poll.multiple_polls_with_same_name", name: ERB::Util.html_escape(poll["name"])))
return
end
@ -228,7 +228,7 @@ after_initialize do
if poll["options"].map { |o| o["id"] }.uniq.size != poll["options"].size
poll["name"] == DEFAULT_POLL_NAME ?
self.errors.add(:base, I18n.t("poll.default_poll_must_have_different_options")) :
self.errors.add(:base, I18n.t("poll.named_poll_must_have_different_options", name: poll["name"]))
self.errors.add(:base, I18n.t("poll.named_poll_must_have_different_options", name: ERB::Util.html_escape(poll["name"])))
return
end
@ -236,7 +236,7 @@ after_initialize do
if poll["options"].size < 2
poll["name"] == DEFAULT_POLL_NAME ?
self.errors.add(:base, I18n.t("poll.default_poll_must_have_at_least_2_options")) :
self.errors.add(:base, I18n.t("poll.named_poll_must_have_at_least_2_options", name: poll["name"]))
self.errors.add(:base, I18n.t("poll.named_poll_must_have_at_least_2_options", name: ERB::Util.html_escape(poll["name"])))
return
end
@ -244,7 +244,7 @@ after_initialize do
if poll["options"].size > SiteSetting.poll_maximum_options
poll["name"] == DEFAULT_POLL_NAME ?
self.errors.add(:base, I18n.t("poll.default_poll_must_have_less_options", max: SiteSetting.poll_maximum_options)) :
self.errors.add(:base, I18n.t("poll.named_poll_must_have_less_options", name: poll["name"], max: SiteSetting.poll_maximum_options))
self.errors.add(:base, I18n.t("poll.named_poll_must_have_less_options", name: ERB::Util.html_escape(poll["name"]), max: SiteSetting.poll_maximum_options))
return
end