codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-27 09:36:19 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

SECURITY: Escape image title in lightbox.

Browse source
This commit is contained in:
Guo Xiang Tan 2016-08-11 11:15:00 +08:00
parent fb1698c920
commit 8dab20e5b8
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/assets/javascripts/discourse/lib/lightbox.js.es6
View file

@ -1,4 +1,5 @@
import loadScript from 'discourse/lib/load-script';
import { escapeExpression } from 'discourse/lib/utilities';
export default function($elem) {
$("a.lightbox", $elem).each(function(i, e) {
@ -33,7 +34,7 @@ export default function($elem) {
image: {
titleSrc(item) {
const href = item.el.data("download-href") || item.src;
let src = [item.el.attr("title"), $("span.informations", item.el).text().replace('x', '×')];
let src = [escapeExpression(item.el.attr("title")), $("span.informations", item.el).text().replace('x', '×')];
if (!Discourse.SiteSettings.prevent_anons_from_downloading_files || Discourse.User.current()) {
src.push('<a class="image-source-link" href="' + href + '">' + I18n.t("lightbox.download") + '</a>');
}