osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions

Browse Source
This commit is contained in:
Robin Ward
2016-07-28 11:36:48 -04:00
parent 85a91c8b81
commit 2f8ab8cd30
5 changed files with 1694 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/assets/javascripts/discourse/components/badge-card.js.es6
+3 -2
View File
@@ -1,6 +1,7 @@
import computed from 'ember-addons/ember-computed-decorators';
import DiscourseURL from 'discourse/lib/url';
import { emojiUnescape } from 'discourse/lib/text';
import { escapeExpression } from 'discourse/lib/utilities';
export default Ember.Component.extend({
size: 'medium',
@@ -39,10 +40,10 @@ export default Ember.Component.extend({
if (size === 'large') {
const longDescription = this.get('badge.long_description');
if (!_.isEmpty(longDescription)) {
return emojiUnescape(longDescription);
return emojiUnescape(escapeExpression(longDescription));
}
}
return this.get('badge.description');
return escapeExpression(this.get('badge.description'));
}
});