Merge pull request #3192 from riking/patch-xss

SECURITY: missed html escaping
2024-11-30 10:58:31 -05:00 · 2015-02-10 15:24:09 -05:00 · 2015-02-10 15:24:09 -05:00 · c0856daf13
commit c0856daf13
parent c4e427cf73 83b51875bb
2 changed files with 9 additions and 15 deletions
--- a/app/assets/javascripts/discourse/controllers/composer.js.es6
+++ b/app/assets/javascripts/discourse/controllers/composer.js.es6
@ -185,7 +185,7 @@ export default DiscourseController.extend({
      var topic = this.get('topic');
      if (!topic || topic.get('id') !== composer.get('topic.id'))
      {
-        var message = I18n.t("composer.posting_not_on_topic", {title: this.get('model.topic.title')});
+        var message = I18n.t("composer.posting_not_on_topic");

        var buttons = [{
          "label": I18n.t("composer.cancel"),
@ -195,7 +195,7 @@ export default DiscourseController.extend({

        if (topic) {
          buttons.push({
-            "label": I18n.t("composer.reply_here") + "<br/><div class='topic-title overflow-ellipsis'>" + topic.get('title') + "</div>",
+            "label": I18n.t("composer.reply_here") + "<br/><div class='topic-title overflow-ellipsis'>" + Handlebars.Utils.escapeExpression(topic.get('title')) + "</div>",
            "class": "btn btn-reply-here",
            "callback": function() {
              composer.set('topic', topic);
@ -206,7 +206,7 @@ export default DiscourseController.extend({
        }

        buttons.push({
-          "label": I18n.t("composer.reply_original") + "<br/><div class='topic-title overflow-ellipsis'>" + this.get('model.topic.title') + "</div>",
+          "label": I18n.t("composer.reply_original") + "<br/><div class='topic-title overflow-ellipsis'>" + Handlebars.Utils.escapeExpression(this.get('model.topic.title')) + "</div>",
          "class": "btn-primary btn-reply-on-original",
          "callback": function() {
            self.save(true);
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@ -249,13 +249,7 @@ class Topic < ActiveRecord::Base
  end

  def fancy_title
-    sanitized_title = title.gsub(/['&\"<>]/, {
-        "'" => '&#39;',
-        '&' => '&amp;',
-        '"' => '&quot;',
-        '<' => '&lt;',
-        '>' => '&gt;',
-      })
+    sanitized_title = ERB::Util.html_escape(title)

    return unless sanitized_title
    return sanitized_title unless SiteSetting.title_fancy_entities?