mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 17:46:05 -05:00
SECURITY: fix XSS using fancy mention hack
This commit is contained in:
parent
ae686e8188
commit
1d1dd43e27
1 changed files with 2 additions and 0 deletions
|
@ -23,6 +23,8 @@ export default Discourse.ObjectController.extend({
|
|||
showMoreBadges: Em.computed.gt('moreBadgesCount', 0),
|
||||
|
||||
show: function(username, uploadedAvatarId) {
|
||||
// XSS protection (should be encapsulated)
|
||||
username = username.replace(/[^A-Za-z0-9_]/g, "");
|
||||
var url = "/users/" + username;
|
||||
|
||||
// Don't show on mobile
|
||||
|
|
Loading…
Reference in a new issue