From 0c5189fa2aed03fd6375d310acba78052bf8ff7a Mon Sep 17 00:00:00 2001 From: Sam Date: Tue, 8 Sep 2015 15:25:00 +1000 Subject: [PATCH] SECURITY: fix possible XSS expanding quotes --- .../javascripts/discourse/views/post.js.es6 | 9 +- app/assets/javascripts/vendor.js | 1 - .../javascripts/jquery.ba-replacetext.js | 129 ------------------ 3 files changed, 4 insertions(+), 135 deletions(-) delete mode 100644 vendor/assets/javascripts/jquery.ba-replacetext.js diff --git a/app/assets/javascripts/discourse/views/post.js.es6 b/app/assets/javascripts/discourse/views/post.js.es6 index bc555c678..ef1869e90 100644 --- a/app/assets/javascripts/discourse/views/post.js.es6 +++ b/app/assets/javascripts/discourse/views/post.js.es6 @@ -145,11 +145,10 @@ const PostView = Discourse.GroupedView.extend(Ember.Evented, { topicId = parseInt(topicId, 10); Discourse.ajax("/posts/by_number/" + topicId + "/" + postId).then(function (result) { - // slightly double escape the cooked html to prevent jQuery from unescaping it - const escaped = result.cooked.replace(/&[^gla]/, "&"); - const parsed = $(escaped); - parsed.replaceText(originalText, "" + originalText + ""); - $blockQuote.showHtml(parsed, 'fast', finished); + const div = $("
"); + div.html(result.cooked); + div.highlight(originalText, {caseSensitive: true, element: 'span', className: 'highlighted'}); + $blockQuote.showHtml(div, 'fast', finished); }); } else { // Hide expanded quote diff --git a/app/assets/javascripts/vendor.js b/app/assets/javascripts/vendor.js index 5c0788f8c..1a52785b5 100644 --- a/app/assets/javascripts/vendor.js +++ b/app/assets/javascripts/vendor.js @@ -22,7 +22,6 @@ //= require div_resizer //= require caret_position //= require favcount.js -//= require jquery.ba-replacetext.js //= require jquery.ba-resize.min.js //= require jquery.color.js //= require jquery.cookie.js diff --git a/vendor/assets/javascripts/jquery.ba-replacetext.js b/vendor/assets/javascripts/jquery.ba-replacetext.js deleted file mode 100644 index c6b60c57c..000000000 --- a/vendor/assets/javascripts/jquery.ba-replacetext.js +++ /dev/null @@ -1,129 +0,0 @@ -/*! - * jQuery replaceText - v1.1 - 11/21/2009 - * http://benalman.com/projects/jquery-replacetext-plugin/ - * - * Copyright (c) 2009 "Cowboy" Ben Alman - * Dual licensed under the MIT and GPL licenses. - * http://benalman.com/about/license/ - */ - -// Script: jQuery replaceText: String replace for your jQueries! -// -// *Version: 1.1, Last updated: 11/21/2009* -// -// Project Home - http://benalman.com/projects/jquery-replacetext-plugin/ -// GitHub - http://github.com/cowboy/jquery-replacetext/ -// Source - http://github.com/cowboy/jquery-replacetext/raw/master/jquery.ba-replacetext.js -// (Minified) - http://github.com/cowboy/jquery-replacetext/raw/master/jquery.ba-replacetext.min.js (0.5kb) -// -// About: License -// -// Copyright (c) 2009 "Cowboy" Ben Alman, -// Dual licensed under the MIT and GPL licenses. -// http://benalman.com/about/license/ -// -// About: Examples -// -// This working example, complete with fully commented code, illustrates one way -// in which this plugin can be used. -// -// replaceText - http://benalman.com/code/projects/jquery-replacetext/examples/replacetext/ -// -// About: Support and Testing -// -// Information about what version or versions of jQuery this plugin has been -// tested with, and what browsers it has been tested in. -// -// jQuery Versions - 1.3.2, 1.4.1 -// Browsers Tested - Internet Explorer 6-8, Firefox 2-3.6, Safari 3-4, Chrome, Opera 9.6-10.1. -// -// About: Release History -// -// 1.1 - (11/21/2009) Simplified the code and API substantially. -// 1.0 - (11/21/2009) Initial release - -(function($){ - '$:nomunge'; // Used by YUI compressor. - - // Method: jQuery.fn.replaceText - // - // Replace text in specified elements. Note that only text content will be - // modified, leaving all tags and attributes untouched. The new text can be - // either text or HTML. - // - // Uses the String prototype replace method, full documentation on that method - // can be found here: - // - // https://developer.mozilla.org/En/Core_JavaScript_1.5_Reference/Objects/String/Replace - // - // Usage: - // - // > jQuery('selector').replaceText( search, replace [, text_only ] ); - // - // Arguments: - // - // search - (RegExp|String) A RegExp object or substring to be replaced. - // Because the String prototype replace method is used internally, this - // argument should be specified accordingly. - // replace - (String|Function) The String that replaces the substring received - // from the search argument, or a function to be invoked to create the new - // substring. Because the String prototype replace method is used internally, - // this argument should be specified accordingly. - // text_only - (Boolean) If true, any HTML will be rendered as text. Defaults - // to false. - // - // Returns: - // - // (jQuery) The initial jQuery collection of elements. - - $.fn.replaceText = function( search, replace, text_only ) { - return this.each(function(){ - var node = this.firstChild, - val, - new_val, - - // Elements to be removed at the end. - remove = []; - - // Only continue if firstChild exists. - if ( node ) { - - // Loop over all childNodes. - do { - - // Only process text nodes. - if ( node.nodeType === 3 ) { - - // The original node value. - val = node.nodeValue; - - // The new value. - new_val = val.replace( search, replace ); - - // Only replace text if the new value is actually different! - if ( new_val !== val ) { - - if ( !text_only && /