XSS fix for category descriptions

2013-04-01 12:01:27 -04:00 · 2013-04-01 12:01:27 -04:00 · e4d190d856
parent 4c5ab8d688
commit e4d190d856
1 changed files with 6 additions and 7 deletions
--- a/app/assets/javascripts/discourse/components/utilities.js
+++ b/app/assets/javascripts/discourse/components/utilities.js
@ -39,19 +39,18 @@ Discourse.Utilities = {

  // Create a badge like category link
  categoryLink: function(category) {
-    var color, textColor, name, description, result;
    if (!category) return "";

-    color = Em.get(category, 'color');
-    textColor = Em.get(category, 'text_color');
-    name = Em.get(category, 'name');
-    description = Em.get(category, 'description');
+    var color = Em.get(category, 'color');
+    var textColor = Em.get(category, 'text_color');
+    var name = Em.get(category, 'name');
+    var description = Em.get(category, 'description');

    // Build the HTML link
-    result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";
+    var result = "<a href=\"" + Discourse.getURL("/category/") + this.categoryUrlId(category) + "\" class=\"badge-category\" ";

    // Add description if we have it
-    if (description) result += "title=\"" + description + "\" ";
+    if (description) result += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";

    return result + "style=\"background-color: #" + color + "; color: #" + textColor + ";\">" + name + "</a>";
  },