Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3192 from riking/patch-xss 

SECURITY: missed html escaping
This commit is contained in:
Robin Ward 2015-02-10 15:24:09 -05:00
parent c4e427cf73 83b51875bb
commit c0856daf13
2 changed files with 9 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
app/assets/javascripts/discourse/controllers/composer.js.es6
View File

@ -181,11 +181,11 @@ export default DiscourseController.extend({
// for now handle a very narrow use case // for now handle a very narrow use case
// if we are replying to a topic AND not on the topic pop the window up // if we are replying to a topic AND not on the topic pop the window up
if(!force && composer.get('replyingToTopic')) { if (!force && composer.get('replyingToTopic')) {
var topic = this.get('topic'); var topic = this.get('topic');
if (!topic || topic.get('id') !== composer.get('topic.id')) if (!topic || topic.get('id') !== composer.get('topic.id'))
{ {
var message = I18n.t("composer.posting_not_on_topic", {title: this.get('model.topic.title')}); var message = I18n.t("composer.posting_not_on_topic");
var buttons = [{ var buttons = [{
"label": I18n.t("composer.cancel"), "label": I18n.t("composer.cancel"),
@ -193,11 +193,11 @@ export default DiscourseController.extend({
"link": true "link": true
}]; }];
if(topic) { if (topic) {
buttons.push({ buttons.push({
"label": I18n.t("composer.reply_here") + "<br/><div class='topic-title overflow-ellipsis'>" + topic.get('title') + "</div>", "label": I18n.t("composer.reply_here") + "<br/><div class='topic-title overflow-ellipsis'>" + Handlebars.Utils.escapeExpression(topic.get('title')) + "</div>",
"class": "btn btn-reply-here", "class": "btn btn-reply-here",
"callback": function(){ "callback": function() {
composer.set('topic', topic); composer.set('topic', topic);
composer.set('post', null); composer.set('post', null);
self.save(true); self.save(true);
@ -206,14 +206,14 @@ export default DiscourseController.extend({
} }
buttons.push({ buttons.push({
"label": I18n.t("composer.reply_original") + "<br/><div class='topic-title overflow-ellipsis'>" + this.get('model.topic.title') + "</div>", "label": I18n.t("composer.reply_original") + "<br/><div class='topic-title overflow-ellipsis'>" + Handlebars.Utils.escapeExpression(this.get('model.topic.title')) + "</div>",
"class": "btn-primary btn-reply-on-original", "class": "btn-primary btn-reply-on-original",
"callback": function(){ "callback": function() {
self.save(true); self.save(true);
} }
}); });
bootbox.dialog(message, buttons, {"classes": "reply-where-modal"}); bootbox.dialog(message, buttons, { "classes": "reply-where-modal" });
return; return;
} }
} }

8
app/models/topic.rb
View File

@ -249,13 +249,7 @@ class Topic < ActiveRecord::Base
end end
def fancy_title def fancy_title
sanitized_title = title.gsub(/['&\"<>]/, { sanitized_title = ERB::Util.html_escape(title)
"'" => '&#39;',
'&' => '&amp;',
'"' => '&quot;',
'<' => '&lt;',
'>' => '&gt;',
})
return unless sanitized_title return unless sanitized_title
return sanitized_title unless SiteSetting.title_fancy_entities? return sanitized_title unless SiteSetting.title_fancy_entities?