From 8fdd6c18fc6c801026a3aa1c1258896f283677c2 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Fri, 20 Nov 2015 14:13:00 -0500 Subject: [PATCH] SECURITY: XSS Protection on Queued Posts --- app/assets/javascripts/discourse/helpers/cook-text.js.es6 | 2 +- .../javascripts/discourse/routes/queued-posts.js.es6 | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/helpers/cook-text.js.es6 b/app/assets/javascripts/discourse/helpers/cook-text.js.es6 index c7acadce1b1..a3756c3bd5b 100644 --- a/app/assets/javascripts/discourse/helpers/cook-text.js.es6 +++ b/app/assets/javascripts/discourse/helpers/cook-text.js.es6 @@ -1,6 +1,6 @@ import registerUnbound from 'discourse/helpers/register-unbound'; registerUnbound('cook-text', function(text) { - return new Handlebars.SafeString(Discourse.Markdown.cook(text)); + return new Handlebars.SafeString(Discourse.Markdown.cook(text, {sanitize: true})); }); diff --git a/app/assets/javascripts/discourse/routes/queued-posts.js.es6 b/app/assets/javascripts/discourse/routes/queued-posts.js.es6 index 2b39cb537c2..32706c9a6c3 100644 --- a/app/assets/javascripts/discourse/routes/queued-posts.js.es6 +++ b/app/assets/javascripts/discourse/routes/queued-posts.js.es6 @@ -1,6 +1,13 @@ +import loadScript from 'discourse/lib/load-script'; import DiscourseRoute from 'discourse/routes/discourse'; export default DiscourseRoute.extend({ + + // this route requires the sanitizer + beforeModel() { + loadScript('defer/html-sanitizer-bundle'); + }, + model() { return this.store.find('queuedPost', {status: 'new'}); },