SECURITY: fix XSS
This commit is contained in:
parent
06d712a4c1
commit
d3becd2969
|
@ -7,14 +7,27 @@ export default Discourse.ObjectController.extend({
|
||||||
return this.get("data.display_username");
|
return this.get("data.display_username");
|
||||||
}.property(),
|
}.property(),
|
||||||
|
|
||||||
link: function() {
|
safe: function(prop){
|
||||||
if (this.get('data.badge_id')) {
|
var val = this.get(prop);
|
||||||
return '<a href="/badges/' + this.get('data.badge_id') + '/' + this.get('data.badge_name').replace(/[^A-Za-z0-9_]+/g, '-').toLowerCase() + '">' + this.get('data.badge_name') + '</a>';
|
if(val) {
|
||||||
|
val = Handlebars.Utils.escapeExpression(val);
|
||||||
}
|
}
|
||||||
|
return val;
|
||||||
|
},
|
||||||
|
|
||||||
|
link: function() {
|
||||||
|
|
||||||
|
var badgeId = this.safe('data.badge_id');
|
||||||
|
if (badgeId) {
|
||||||
|
var badgeName = this.safe('data.badge_name');
|
||||||
|
return '<a href="/badges/' + badgeId + '/' + badgeName.replace(/[^A-Za-z0-9_]+/g, '-').toLowerCase() + '">' + badgeName + '</a>';
|
||||||
|
}
|
||||||
|
|
||||||
if (this.blank("data.topic_title")) {
|
if (this.blank("data.topic_title")) {
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
var url = Discourse.Utilities.postUrl(this.get("slug"), this.get("topic_id"), this.get("post_number"));
|
|
||||||
return '<a href="' + url + '">' + this.get("data.topic_title") + '</a>';
|
var url = Discourse.Utilities.postUrl(this.safe("slug"), this.safe("topic_id"), this.safe("post_number"));
|
||||||
|
return '<a href="' + url + '">' + this.safe("data.topic_title") + '</a>';
|
||||||
}.property()
|
}.property()
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in New Issue