codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-23 23:58:31 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

SECURITY: self XSS by admin by editing badge name

Browse source
This commit is contained in:
Sam 2014-04-23 09:46:32 +10:00
parent 6538874064
commit 8abf652dc3
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/assets/javascripts/discourse/lib/html.js
View file

@ -93,7 +93,7 @@ Discourse.HTML = {
html += "data-drop-close=\"true\" class=\"badge-category" + (restricted ? ' restricted' : '' ) +
extraClasses + "\" ";
name = Handlebars.Utils.escapeExpression(name);
// Add description if we have it
if (description) html += "title=\"" + Handlebars.Utils.escapeExpression(description) + "\" ";