Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: fix XSS

This commit is contained in:
Sam 2014-06-12 10:17:19 +10:00
parent 06d712a4c1
commit d3becd2969
1 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/assets/javascripts/discourse/controllers/notification.js.es6
View File

@ -7,14 +7,27 @@ export default Discourse.ObjectController.extend({
return this.get("data.display_username");
}.property(),
link: function() {
if (this.get('data.badge_id')) {
return '<a href="/badges/' + this.get('data.badge_id') + '/' + this.get('data.badge_name').replace(/[^A-Za-z0-9_]+/g, '-').toLowerCase() + '">' + this.get('data.badge_name') + '</a>';
safe: function(prop){
var val = this.get(prop);
if(val) {
val = Handlebars.Utils.escapeExpression(val);
}
return val;
},
link: function() {
var badgeId = this.safe('data.badge_id');
if (badgeId) {
var badgeName = this.safe('data.badge_name');
return '<a href="/badges/' + badgeId + '/' + badgeName.replace(/[^A-Za-z0-9_]+/g, '-').toLowerCase() + '">' + badgeName + '</a>';
}
if (this.blank("data.topic_title")) {
return "";
}
var url = Discourse.Utilities.postUrl(this.get("slug"), this.get("topic_id"), this.get("post_number"));
return '<a href="' + url + '">' + this.get("data.topic_title") + '</a>';
var url = Discourse.Utilities.postUrl(this.safe("slug"), this.safe("topic_id"), this.safe("post_number"));
return '<a href="' + url + '">' + this.safe("data.topic_title") + '</a>';
}.property()
});