From c28c5083e0e7db96ec27f27c0107292e7469b214 Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Sun, 15 Apr 2018 17:24:04 +0530
Subject: [PATCH] SECURITY: santize tags when creating new topic via URL

---
 .../javascripts/discourse/controllers/composer.js.es6    | 9 +++++++--
 .../select-kit/components/mini-tag-chooser.js.es6        | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/discourse/controllers/composer.js.es6 b/app/assets/javascripts/discourse/controllers/composer.js.es6
index 414e117897e..b91e0d40da5 100644
--- a/app/assets/javascripts/discourse/controllers/composer.js.es6
+++ b/app/assets/javascripts/discourse/controllers/composer.js.es6
@@ -682,7 +682,7 @@ export default Ember.Controller.extend({
     }
 
     if (opts.topicTitle && opts.topicTitle.length <= this.siteSettings.max_topic_title_length) {
-      this.set('model.title', opts.topicTitle);
+      this.set('model.title', escapeExpression(opts.topicTitle));
     }
 
     if (opts.topicCategoryId) {
@@ -707,7 +707,12 @@ export default Ember.Controller.extend({
     }
 
     if (opts.topicTags && !this.site.mobileView && this.site.get('can_tag_topics')) {
-      this.set('model.tags', opts.topicTags.split(","));
+      const self = this;
+      let tags = escapeExpression(opts.topicTags).split(",").slice(0, self.siteSettings.max_tags_per_topic);
+      tags.forEach(function(tag, index, array) {
+        array[index] = tag.substring(0, self.siteSettings.max_tag_length);
+      });
+      self.set('model.tags', tags);
     }
 
     if (opts.topicBody) {
diff --git a/app/assets/javascripts/select-kit/components/mini-tag-chooser.js.es6 b/app/assets/javascripts/select-kit/components/mini-tag-chooser.js.es6
index 740fd9e61be..dbcb5d03841 100644
--- a/app/assets/javascripts/select-kit/components/mini-tag-chooser.js.es6
+++ b/app/assets/javascripts/select-kit/components/mini-tag-chooser.js.es6
@@ -2,6 +2,7 @@ import ComboBox from "select-kit/components/combo-box";
 import Tags from "select-kit/mixins/tags";
 import { default as computed } from "ember-addons/ember-computed-decorators";
 import renderTag from "discourse/lib/render-tag";
+import { escapeExpression } from 'discourse/lib/utilities';
 const { get, isEmpty, run, makeArray } = Ember;
 
 export default ComboBox.extend(Tags, {
@@ -110,6 +111,7 @@ export default ComboBox.extend(Tags, {
       }
 
       tags.map((tag) => {
+        tag = escapeExpression(tag);
         const isHighlighted = highlightedSelection.map(s => get(s, "value")).includes(tag);
         output += `
           <button aria-label="${tag}" title="${tag}" class="selected-tag ${isHighlighted ? 'is-highlighted' : ''}" data-value="${tag}">