Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: XSS Protection on Queued Posts

This commit is contained in:
Robin Ward 2015-11-20 14:13:00 -05:00
parent 83d5b82c84
commit 8fdd6c18fc
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/helpers/cook-text.js.es6
View File

@ -1,6 +1,6 @@
import registerUnbound from 'discourse/helpers/register-unbound'; import registerUnbound from 'discourse/helpers/register-unbound';
registerUnbound('cook-text', function(text) { registerUnbound('cook-text', function(text) {
return new Handlebars.SafeString(Discourse.Markdown.cook(text)); return new Handlebars.SafeString(Discourse.Markdown.cook(text, {sanitize: true}));
}); });

7
app/assets/javascripts/discourse/routes/queued-posts.js.es6
View File

@ -1,6 +1,13 @@
import loadScript from 'discourse/lib/load-script';
import DiscourseRoute from 'discourse/routes/discourse'; import DiscourseRoute from 'discourse/routes/discourse';
export default DiscourseRoute.extend({ export default DiscourseRoute.extend({
// this route requires the sanitizer
beforeModel() {
loadScript('defer/html-sanitizer-bundle');
},
model() { model() {
return this.store.find('queuedPost', {status: 'new'}); return this.store.find('queuedPost', {status: 'new'});
}, },