osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

FIX: Ensure theme names are escaped in HTML attributes (#15272)

Browse Source 
If a theme name contained a double-quote, this problem could lead to invalid/unexpected HTML in the `<head>`

Note that this is not considered a security issue because themes can only be installed/named by administrators, and themes/administrators already have the ability to run arbitrary javascript.
This commit is contained in:
David Taylor
2021-12-13 10:50:09 +00:00
committed by GitHub
parent bc6bff0e5a
commit 6e9bb84d12
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/stylesheet/manager.rb
+1 -1
View File
@@ -195,7 +195,7 @@ class Stylesheet::Manager
theme_id = stylesheet[:theme_id]
data_theme_id = theme_id ? "data-theme-id=\"#{theme_id}\"" : ""
theme_name = stylesheet[:theme_name]
data_theme_name = theme_name ? "data-theme-name=\"#{theme_name}\"" : ""
data_theme_name = theme_name ? "data-theme-name=\"#{CGI.escapeHTML(theme_name)}\"" : ""
%[<link href="#{href}" media="#{media}" rel="stylesheet" data-target="#{target}" #{data_theme_id} #{data_theme_name}/>]
end.join("\n").html_safe
end