mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 17:46:05 -05:00
SECURITY: A user could XSS themselves on their preference page
This commit is contained in:
parent
e08c9b8c49
commit
0428bacfa9
2 changed files with 12 additions and 1 deletions
|
@ -29,7 +29,7 @@ export default Ember.Component.extend({
|
||||||
preview(ready, value) {
|
preview(ready, value) {
|
||||||
if (!ready) { return; }
|
if (!ready) { return; }
|
||||||
|
|
||||||
const text = Discourse.Dialect.cook(value || "", {});
|
const text = Discourse.Dialect.cook(value || "", {sanitize: true});
|
||||||
return text ? text : "";
|
return text ? text : "";
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,17 @@ componentTest('preview updates with markdown', {
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
componentTest('preview sanitizes HTML', {
|
||||||
|
template: '{{d-editor value=value}}',
|
||||||
|
|
||||||
|
test(assert) {
|
||||||
|
this.set('value', `"><svg onload="prompt(/xss/)"></svg>`);
|
||||||
|
andThen(() => {
|
||||||
|
assert.equal(this.$('.d-editor-preview').html().trim(), '<p>\"></p>');
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
componentTest('updating the value refreshes the preview', {
|
componentTest('updating the value refreshes the preview', {
|
||||||
template: '{{d-editor value=value}}',
|
template: '{{d-editor value=value}}',
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue