Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Sanitize theme settings properly before injecting into stylesheets (#7031)

This commit is contained in:
David Taylor 2019-03-08 08:58:06 +00:00 committed by GitHub
parent 2312caccdc
commit b101065bad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/stylesheet/importer.rb
View File

@ -144,9 +144,8 @@ COMMENT
end end
def to_scss_variable(name, value) def to_scss_variable(name, value)
escaped = value.to_s.gsub('"', "\\22") escaped = SassC::Script::Value::String.quote(value, sass: true)
escaped.gsub!("\n", "\\A") "$#{name}: unquote(#{escaped});\n"
"$#{name}: unquote(\"#{escaped}\");\n"
end end
def imports(asset, parent_path) def imports(asset, parent_path)

12
spec/models/theme_spec.rb
View File

@ -310,6 +310,18 @@ HTML
scss, _map = Stylesheet::Compiler.compile('@import "theme_variables"; @import "desktop_theme"; ', "theme.scss", theme_id: theme.id) scss, _map = Stylesheet::Compiler.compile('@import "theme_variables"; @import "desktop_theme"; ', "theme.scss", theme_id: theme.id)
expect(scss).to include("font-size:30px") expect(scss).to include("font-size:30px")
# Escapes correctly. If not, compiling this would throw an exception
setting.value = <<~MULTILINE
\#{$fakeinterpolatedvariable}
andanothervalue 'withquotes'; margin: 0;
MULTILINE
theme.set_field(target: :common, name: :scss, value: 'body {font-size: quote($font-size)}')
theme.save!
scss, _map = Stylesheet::Compiler.compile('@import "theme_variables"; @import "desktop_theme"; ', "theme.scss", theme_id: theme.id)
expect(scss).to include('font-size:"#{$fakeinterpolatedvariable}\a andanothervalue \'withquotes\'; margin: 0;\a"')
end end
it "allows values to be used in JS" do it "allows values to be used in JS" do