Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (#19726) 

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
This commit is contained in:
Alan Guo Xiang Tan 2023-01-05 06:08:05 +08:00 committed by GitHub
parent ab3a032b4b
commit c0e2d7bada
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
app/assets/javascripts/discourse/app/routes/user-activity-pending.js
View File

@ -1,4 +1,6 @@
import DiscourseRoute from "discourse/routes/discourse";
import { emojiUnescape } from "discourse/lib/text";
import { escapeExpression } from "discourse/lib/utilities";
export default DiscourseRoute.extend({
beforeModel() {
@ -6,9 +8,19 @@ export default DiscourseRoute.extend({
},
model() {
return this.store.findAll("pending-post", {
username: this.username,
});
return this.store
.findAll("pending-post", {
username: this.username,
})
.then((pendingPosts) => {
for (let pendingPost of pendingPosts.content) {
pendingPost.title = emojiUnescape(
escapeExpression(pendingPost.title)
);
}
return pendingPosts;
});
},
activate() {