From 71b65be6f6e0a289dffce3f7d02df819d9482cc3 Mon Sep 17 00:00:00 2001
From: Neil Lalonde <neillalonde@gmail.com>
Date: Mon, 13 Aug 2018 16:44:35 -0400
Subject: [PATCH] SECURITY: prevent use of X-Forwarded-Host to perform XSS

---
 app/views/common/_special_font_face.html.erb | 2 +-
 app/views/exceptions/not_found.html.erb      | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/app/views/common/_special_font_face.html.erb b/app/views/common/_special_font_face.html.erb
index 6436768afd..50fc5d96a8 100644
--- a/app/views/common/_special_font_face.html.erb
+++ b/app/views/common/_special_font_face.html.erb
@@ -8,7 +8,7 @@
   &1 was added last when the nginx sample config changed
 %>
 
-<% font_domain = "#{request.protocol}#{request.host_with_port}&2" %>
+<% font_domain = "#{Discourse.base_url_no_prefix}&2".html_safe %>
 <% woff2_url = "#{asset_path("fontawesome-webfont.woff2")}?#{font_domain}&v=4.7.0".html_safe %>
 
 <link rel="preload" href="<%=woff2_url%>" as="font" type="font/woff2" crossorigin />
diff --git a/app/views/exceptions/not_found.html.erb b/app/views/exceptions/not_found.html.erb
index 899c231514..e06acfd090 100644
--- a/app/views/exceptions/not_found.html.erb
+++ b/app/views/exceptions/not_found.html.erb
@@ -26,15 +26,13 @@
 <% end %>
 
 <%- unless @hide_google %>
-  <% local_domain = "#{request.protocol}#{request.host_with_port}" %>
-
   <div class="row">
     <div class="page-not-found-search">
       <h2><%= t 'page_not_found.search_title' %></h2>
       <p>
         <form action='//google.com/search' id='google-search'>
           <input type="text" name="q" value="<%= @slug %>">
-          <input type='hidden' name="as_sitesearch" value="<%= local_domain %>">
+          <input type='hidden' name="as_sitesearch" value="<%= Discourse.base_url %>">
           <button class="btn btn-primary"><%= t 'page_not_found.search_google' %></button>
         </form>
       </p>