SECURITY: A user could XSS themselves on their preference page

This commit is contained in:
Robin Ward 2015-10-20 12:09:59 -04:00
parent e08c9b8c49
commit 0428bacfa9
2 changed files with 12 additions and 1 deletions

View file

@ -29,7 +29,7 @@ export default Ember.Component.extend({
preview(ready, value) {
if (!ready) { return; }
const text = Discourse.Dialect.cook(value || "", {});
const text = Discourse.Dialect.cook(value || "", {sanitize: true});
return text ? text : "";
},

View file

@ -19,6 +19,17 @@ componentTest('preview updates with markdown', {
}
});
componentTest('preview sanitizes HTML', {
template: '{{d-editor value=value}}',
test(assert) {
this.set('value', `"><svg onload="prompt(/xss/)"></svg>`);
andThen(() => {
assert.equal(this.$('.d-editor-preview').html().trim(), '<p>\"&gt;</p>');
});
}
});
componentTest('updating the value refreshes the preview', {
template: '{{d-editor value=value}}',