SECURITY: XSS Protection on Queued Posts

2015-11-20 14:13:00 -05:00 · 2015-11-20 14:13:00 -05:00 · 8fdd6c18fc
parent 83d5b82c84
commit 8fdd6c18fc
2 changed files with 8 additions and 1 deletions
--- a/app/assets/javascripts/discourse/helpers/cook-text.js.es6
+++ b/app/assets/javascripts/discourse/helpers/cook-text.js.es6
@ -1,6 +1,6 @@
 import registerUnbound from 'discourse/helpers/register-unbound';

 registerUnbound('cook-text', function(text) {
-  return new Handlebars.SafeString(Discourse.Markdown.cook(text));
+  return new Handlebars.SafeString(Discourse.Markdown.cook(text, {sanitize: true}));
 });

--- a/app/assets/javascripts/discourse/routes/queued-posts.js.es6
+++ b/app/assets/javascripts/discourse/routes/queued-posts.js.es6
@ -1,6 +1,13 @@
+import loadScript from 'discourse/lib/load-script';
 import DiscourseRoute from 'discourse/routes/discourse';

 export default DiscourseRoute.extend({
+
+  // this route requires the sanitizer
+  beforeModel() {
+    loadScript('defer/html-sanitizer-bundle');
+  },
+
  model() {
    return this.store.find('queuedPost', {status: 'new'});
  },