FIX: Mark invites flash messages as HTML safe. (#15539)
* FIX: Mark invites flash messages as HTML safe. This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client. Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220 * If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend. * Escape user input instead of sanitizing
This commit is contained in:
@@ -11,6 +11,7 @@ import Group from "discourse/models/group";
|
||||
import Invite from "discourse/models/invite";
|
||||
import I18n from "I18n";
|
||||
import { FORMAT } from "select-kit/components/future-date-input-selector";
|
||||
import { sanitize } from "discourse/lib/text";
|
||||
|
||||
export default Controller.extend(
|
||||
ModalFunctionality,
|
||||
@@ -130,7 +131,7 @@ export default Controller.extend(
|
||||
|
||||
if (result.warnings) {
|
||||
this.setProperties({
|
||||
flashText: result.warnings.join(","),
|
||||
flashText: sanitize(result.warnings.join(",")),
|
||||
flashClass: "warning",
|
||||
flashLink: !this.editing,
|
||||
});
|
||||
@@ -139,7 +140,7 @@ export default Controller.extend(
|
||||
this.send("closeModal");
|
||||
} else {
|
||||
this.setProperties({
|
||||
flashText: I18n.t("user.invited.invite.invite_saved"),
|
||||
flashText: sanitize(I18n.t("user.invited.invite.invite_saved")),
|
||||
flashClass: "success",
|
||||
flashLink: !this.editing,
|
||||
});
|
||||
@@ -148,7 +149,7 @@ export default Controller.extend(
|
||||
})
|
||||
.catch((e) =>
|
||||
this.setProperties({
|
||||
flashText: extractError(e),
|
||||
flashText: sanitize(extractError(e)),
|
||||
flashClass: "error",
|
||||
flashLink: false,
|
||||
})
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
<div id="modal-alert" role="alert" class="alert alert-{{flashClass}}">
|
||||
{{#if flashLink}}
|
||||
<div class="input-group invite-link">
|
||||
<label for="invite-link">{{flashText}} {{i18n "user.invited.invite.instructions"}}</label>
|
||||
<label for="invite-link">{{html-safe flashText}} {{i18n "user.invited.invite.instructions"}}</label>
|
||||
<div class="link-share-container">
|
||||
{{input
|
||||
name="invite-link"
|
||||
@@ -14,7 +14,7 @@
|
||||
</div>
|
||||
</div>
|
||||
{{else}}
|
||||
{{flashText}}
|
||||
{{html-safe flashText}}
|
||||
{{/if}}
|
||||
</div>
|
||||
{{/if}}
|
||||
|
||||
Reference in New Issue
Block a user