mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-30 19:08:10 -05:00
SECURITY: fix XSS using fancy mention hack
This commit is contained in:
parent
ae686e8188
commit
1d1dd43e27
1 changed files with 2 additions and 0 deletions
|
@ -23,6 +23,8 @@ export default Discourse.ObjectController.extend({
|
||||||
showMoreBadges: Em.computed.gt('moreBadgesCount', 0),
|
showMoreBadges: Em.computed.gt('moreBadgesCount', 0),
|
||||||
|
|
||||||
show: function(username, uploadedAvatarId) {
|
show: function(username, uploadedAvatarId) {
|
||||||
|
// XSS protection (should be encapsulated)
|
||||||
|
username = username.replace(/[^A-Za-z0-9_]/g, "");
|
||||||
var url = "/users/" + username;
|
var url = "/users/" + username;
|
||||||
|
|
||||||
// Don't show on mobile
|
// Don't show on mobile
|
||||||
|
|
Loading…
Reference in a new issue