osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

SECURITY: category badges should HTML escape names

Browse Source
This commit is contained in:
Sam
2018-06-28 18:14:55 +10:00
parent ec3e6a81a4
commit db14e10943
3 changed files with 22 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/category_badge.rb
+6 -3
View File
@@ -79,7 +79,7 @@ module CategoryBadge
# category name
class_names = 'badge-category clear-badge'
description = category.description_text ? "title='#{category.description_text.html_safe}'" : ''
description = category.description_text ? "title='#{category.description_text}'" : ''
category_url = opts[:absolute_url] ? "#{Discourse.base_url_no_prefix}#{category.url}" : category.url
extra_span_classes =
@@ -102,7 +102,10 @@ module CategoryBadge
result << "<span style='#{extra_span_classes}' data-drop-close='true' class='#{class_names}'
#{description}>"
result << category.name.html_safe << '</span>'
"<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
result << ERB::Util.html_escape(category.name) << '</span>'
result = "<a class='badge-wrapper #{extra_classes}' href='#{category_url}'" + (opts[:inline_style] ? inline_badge_wrapper_style : '') + ">#{result}</a>"
result.html_safe
end
end