mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-23 23:58:31 -05:00
SECURITY: A user could XSS themselves on their preference page
This commit is contained in:
parent
e08c9b8c49
commit
0428bacfa9
2 changed files with 12 additions and 1 deletions
|
@ -29,7 +29,7 @@ export default Ember.Component.extend({
|
|||
preview(ready, value) {
|
||||
if (!ready) { return; }
|
||||
|
||||
const text = Discourse.Dialect.cook(value || "", {});
|
||||
const text = Discourse.Dialect.cook(value || "", {sanitize: true});
|
||||
return text ? text : "";
|
||||
},
|
||||
|
||||
|
|
|
@ -19,6 +19,17 @@ componentTest('preview updates with markdown', {
|
|||
}
|
||||
});
|
||||
|
||||
componentTest('preview sanitizes HTML', {
|
||||
template: '{{d-editor value=value}}',
|
||||
|
||||
test(assert) {
|
||||
this.set('value', `"><svg onload="prompt(/xss/)"></svg>`);
|
||||
andThen(() => {
|
||||
assert.equal(this.$('.d-editor-preview').html().trim(), '<p>\"></p>');
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
componentTest('updating the value refreshes the preview', {
|
||||
template: '{{d-editor value=value}}',
|
||||
|
||||
|
|
Loading…
Reference in a new issue