Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Escape strings in logs

This commit is contained in:
Sam Saffron 2014-09-16 07:53:17 +10:00
parent 8ba8846589
commit bb64c2236b
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/assets/javascripts/admin/models/staff_action_log.js
View File

@ -22,14 +22,14 @@ Discourse.StaffActionLog = Discourse.Model.extend({
formatted += this.format('admin.logs.staff_actions.previous_value', 'previous_value'); formatted += this.format('admin.logs.staff_actions.previous_value', 'previous_value');
} }
if (!this.get('useModalForDetails')) { if (!this.get('useModalForDetails')) {
if (this.get('details')) formatted += this.get('details') + '<br/>'; if (this.get('details')) formatted += Handlebars.Utils.escapeExpression(this.get('details')) + '<br/>';
} }
return formatted; return formatted;
}.property('ip_address', 'email'), }.property('ip_address', 'email'),
format: function(label, propertyName) { format: function(label, propertyName) {
if (this.get(propertyName)) { if (this.get(propertyName)) {
return ('<b>' + I18n.t(label) + ':</b> ' + this.get(propertyName) + '<br/>'); return ('<b>' + I18n.t(label) + ':</b> ' + Handlebars.Utils.escapeExpression(this.get(propertyName)) + '<br/>');
} else { } else {
return ''; return '';
} }