From 0428bacfa943fa06861b383b9ab1d19b203bbcee Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Tue, 20 Oct 2015 12:09:59 -0400 Subject: [PATCH] SECURITY: A user could XSS themselves on their preference page --- .../javascripts/discourse/components/d-editor.js.es6 | 2 +- test/javascripts/components/d-editor-test.js.es6 | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/components/d-editor.js.es6 b/app/assets/javascripts/discourse/components/d-editor.js.es6 index 4d8061c6e..879cb9c64 100644 --- a/app/assets/javascripts/discourse/components/d-editor.js.es6 +++ b/app/assets/javascripts/discourse/components/d-editor.js.es6 @@ -29,7 +29,7 @@ export default Ember.Component.extend({ preview(ready, value) { if (!ready) { return; } - const text = Discourse.Dialect.cook(value || "", {}); + const text = Discourse.Dialect.cook(value || "", {sanitize: true}); return text ? text : ""; }, diff --git a/test/javascripts/components/d-editor-test.js.es6 b/test/javascripts/components/d-editor-test.js.es6 index 7ae1c7823..f27607499 100644 --- a/test/javascripts/components/d-editor-test.js.es6 +++ b/test/javascripts/components/d-editor-test.js.es6 @@ -19,6 +19,17 @@ componentTest('preview updates with markdown', { } }); +componentTest('preview sanitizes HTML', { + template: '{{d-editor value=value}}', + + test(assert) { + this.set('value', `">`); + andThen(() => { + assert.equal(this.$('.d-editor-preview').html().trim(), '

\">

'); + }); + } +}); + componentTest('updating the value refreshes the preview', { template: '{{d-editor value=value}}',