From 3d62e5dd981f5857e6b6020d117c77d93b660890 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Fri, 5 Aug 2016 12:01:16 -0400 Subject: [PATCH] SECURITY: XSS issue on Admin users list --- .../admin/templates/users-list-show.hbs | 6 ++-- .../discourse/controllers/login.js.es6 | 7 +++-- .../templates/modal/not-activated.hbs | 2 +- app/services/user_activator.rb | 2 +- spec/services/user_activator_spec.rb | 10 +++++++ .../acceptance/admin-users-list-test.js.es6 | 11 +++++++ .../acceptance/sign-in-test.js.es6 | 30 +++++++++++++++++-- .../helpers/create-pretender.js.es6 | 17 +++++++++++ 8 files changed, 75 insertions(+), 10 deletions(-) create mode 100644 test/javascripts/acceptance/admin-users-list-test.js.es6 diff --git a/app/assets/javascripts/admin/templates/users-list-show.hbs b/app/assets/javascripts/admin/templates/users-list-show.hbs index aa478dcd6..879161e3d 100644 --- a/app/assets/javascripts/admin/templates/users-list-show.hbs +++ b/app/assets/javascripts/admin/templates/users-list-show.hbs @@ -21,7 +21,7 @@ {{#conditional-loading-spinner condition=refreshing}} {{#if model}} - +
{{#if showApproval}} @@ -42,7 +42,7 @@ {{#each model as |user|}} - + {{#if showApproval}} - + diff --git a/app/assets/javascripts/discourse/controllers/login.js.es6 b/app/assets/javascripts/discourse/controllers/login.js.es6 index 4303de475..4abefa97b 100644 --- a/app/assets/javascripts/discourse/controllers/login.js.es6 +++ b/app/assets/javascripts/discourse/controllers/login.js.es6 @@ -3,6 +3,7 @@ import ModalFunctionality from 'discourse/mixins/modal-functionality'; import showModal from 'discourse/lib/show-modal'; import { setting } from 'discourse/lib/computed'; import { findAll } from 'discourse/models/login-method'; +import { escape } from 'pretty-text/sanitizer'; // This is happening outside of the app via popup const AuthErrors = @@ -63,11 +64,11 @@ export default Ember.Controller.extend(ModalFunctionality, { // Successful login if (result.error) { self.set('loggingIn', false); - if( result.reason === 'not_activated' ) { + if (result.reason === 'not_activated') { self.send('showNotActivated', { username: self.get('loginName'), - sentTo: result.sent_to_email, - currentEmail: result.current_email + sentTo: escape(result.sent_to_email), + currentEmail: escape(result.current_email) }); } else if (result.reason === 'suspended' ) { self.send("closeModal"); diff --git a/app/assets/javascripts/discourse/templates/modal/not-activated.hbs b/app/assets/javascripts/discourse/templates/modal/not-activated.hbs index f8df2639e..9d6620cbc 100644 --- a/app/assets/javascripts/discourse/templates/modal/not-activated.hbs +++ b/app/assets/javascripts/discourse/templates/modal/not-activated.hbs @@ -3,7 +3,7 @@ {{{i18n 'login.sent_activation_email_again' currentEmail=currentEmail}}} {{else}} {{{i18n 'login.not_activated' sentTo=sentTo}}} - {{i18n 'login.resend_activation_email'}} + {{i18n 'login.resend_activation_email'}} {{/if}}
{{input type="checkbox" checked=selectAll}}
{{#if user.can_approve}} @@ -52,7 +52,7 @@ {{/if}} {{avatar user imageSize="small"}} {{#link-to 'adminUser' user}}{{unbound user.username}}{{/link-to}}{{{unbound user.email}}} {{{unbound user.last_emailed_age}}} {{{unbound user.last_seen_age}}} {{{unbound user.topics_entered}}}