SECURITY: topic titles can show up in user page unescaped when streamed in

2016-02-01 20:53:26 +11:00 · 2016-02-01 20:53:26 +11:00 · 51da6676f0
commit 51da6676f0
parent 9e22fa91e8
1 changed files with 3 additions and 1 deletions
--- a/app/assets/javascripts/discourse/models/user.js.es6
+++ b/app/assets/javascripts/discourse/models/user.js.es6
@ -177,7 +177,9 @@ const User = RestModel.extend({
        if ((this.get('stream.filter') || ua.action_type) !== ua.action_type) return;
        if (!this.get('stream.filter') && !this.inAllStream(ua)) return;

-        const action = Discourse.UserAction.collapseStream([Discourse.UserAction.create(ua)]);
+        ua.title = Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(ua.title));
+        const action = UserAction.collapseStream([UserAction.create(ua)]);
+
        stream.set('itemsLoaded', stream.get('itemsLoaded') + 1);
        stream.get('content').insertAt(0, action[0]);
      }