From 5a75972b0beff37c20c027ceb8284eefe7c358d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Sat, 14 May 2016 00:08:19 +0200
Subject: [PATCH] SECURITY: 2 XSSs in post gutter and local oneboxes
---
app/assets/javascripts/discourse/widgets/post-gutter.js.es6 | 2 +-
lib/onebox/engine/discourse_local_onebox.rb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6 b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
index 81443e10b..d8352d2ae 100644
--- a/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
+++ b/app/assets/javascripts/discourse/widgets/post-gutter.js.es6
@@ -29,7 +29,7 @@ export default createWidget('post-gutter', {
seenTitles[title] = true;
titleCount++;
if (result.length < toShow) {
- const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(title)}</span>`})];
+ const linkBody = [new RawHtml({html: `<span>${Discourse.Emoji.unescape(Handlebars.Utils.escapeExpression(title))}</span>`})];
if (l.clicks) {
linkBody.push(h('span.badge.badge-notification.clicks', l.clicks.toString()));
}
diff --git a/lib/onebox/engine/discourse_local_onebox.rb b/lib/onebox/engine/discourse_local_onebox.rb
index 23c98ece2..5e7564037 100644
--- a/lib/onebox/engine/discourse_local_onebox.rb
+++ b/lib/onebox/engine/discourse_local_onebox.rb
@@ -96,7 +96,7 @@ module Onebox
quote = post.excerpt(SiteSetting.post_onebox_maxlength)
args = { original_url: url,
- title: PrettyText.unescape_emoji(topic.title),
+ title: PrettyText.unescape_emoji(CGI::escapeHTML(topic.title)),
avatar: PrettyText.avatar_img(topic.user.avatar_template, 'tiny'),
posts_count: topic.posts_count,
last_post: FreedomPatches::Rails4.time_ago_in_words(topic.last_posted_at, false, scope: :'datetime.distance_in_words_verbose'),