SECURITY: topic titles can show up in user page unescaped when streamed in

This commit is contained in:
Sam Saffron 2016-02-01 20:53:26 +11:00
parent 27aaed0aa5
commit 904e532439
1 changed files with 1 additions and 0 deletions

View File

@ -188,6 +188,7 @@ const User = RestModel.extend({
if ((this.get('stream.filter') || ua.action_type) !== ua.action_type) return; if ((this.get('stream.filter') || ua.action_type) !== ua.action_type) return;
if (!this.get('stream.filter') && !this.inAllStream(ua)) return; if (!this.get('stream.filter') && !this.inAllStream(ua)) return;
ua.title = Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(ua.title));
const action = UserAction.collapseStream([UserAction.create(ua)]); const action = UserAction.collapseStream([UserAction.create(ua)]);
stream.set('itemsLoaded', stream.get('itemsLoaded') + 1); stream.set('itemsLoaded', stream.get('itemsLoaded') + 1);
stream.get('content').insertAt(0, action[0]); stream.get('content').insertAt(0, action[0]);