osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

FIX: Mark invites flash messages as HTML safe. (#15539)

Browse Source 
* FIX: Mark invites flash messages as HTML safe.
This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client.

Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220

* If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend.

* Escape user input instead of sanitizing
This commit is contained in:
Roman Rizzi
2022-01-18 09:38:31 -03:00
committed by GitHub
parent 7329b766cb
commit 5ee31cbf7d
6 changed files with 44 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/assets/javascripts/discourse/app/controllers/create-invite.js
+4 -3
View File
@@ -11,6 +11,7 @@ import Group from "discourse/models/group";
import Invite from "discourse/models/invite";
import I18n from "I18n";
import { FORMAT } from "select-kit/components/future-date-input-selector";
import { sanitize } from "discourse/lib/text";
export default Controller.extend(
ModalFunctionality,
@@ -130,7 +131,7 @@ export default Controller.extend(
if (result.warnings) {
this.setProperties({
flashText: result.warnings.join(","),
flashText: sanitize(result.warnings.join(",")),
flashClass: "warning",
flashLink: !this.editing,
});
@@ -139,7 +140,7 @@ export default Controller.extend(
this.send("closeModal");
} else {
this.setProperties({
flashText: I18n.t("user.invited.invite.invite_saved"),
flashText: sanitize(I18n.t("user.invited.invite.invite_saved")),
flashClass: "success",
flashLink: !this.editing,
});
@@ -148,7 +149,7 @@ export default Controller.extend(
})
.catch((e) =>
this.setProperties({
flashText: extractError(e),
flashText: sanitize(extractError(e)),
flashClass: "error",
flashLink: false,
})
app/assets/javascripts/discourse/app/templates/modal/create-invite.hbs
+2 -2
View File
@@ -2,7 +2,7 @@
<div id="modal-alert" role="alert" class="alert alert-{{flashClass}}">
{{#if flashLink}}
<div class="input-group invite-link">
<label for="invite-link">{{flashText}} {{i18n "user.invited.invite.instructions"}}</label>
<label for="invite-link">{{html-safe flashText}} {{i18n "user.invited.invite.instructions"}}</label>
<div class="link-share-container">
{{input
name="invite-link"
@@ -14,7 +14,7 @@
</div>
</div>
{{else}}
{{flashText}}
{{html-safe flashText}}
{{/if}}
</div>
{{/if}}