discourse/discourse-placeholder-theme-component
1
0
Fork 0
mirror of synced 2026-05-22 21:53:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: properly escape user input (#38)

Browse Source 
We were failing to correctly escape content which we would then inject in the HTML of the post causing an XSS.

Note this XSS is stopped by CSP.
This commit is contained in:
Joffrey JAFFEUX
2024-08-20 18:06:58 +02:00
committed by GitHub
parent 57045bc9e5
commit a62f711d56
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
javascripts/discourse/initializers/setup.js
+3
View File
@@ -1,5 +1,6 @@
import { debounce, later } from "@ember/runloop"; import { debounce, later } from "@ember/runloop";
import { withPluginApi } from "discourse/lib/plugin-api"; import { withPluginApi } from "discourse/lib/plugin-api";
import { escapeExpression } from "discourse/lib/utilities";
import DiscoursePlaceholderBuilder from "../components/modal/discourse-placeholder-builder"; import DiscoursePlaceholderBuilder from "../components/modal/discourse-placeholder-builder";
const VALID_TAGS = const VALID_TAGS =
@@ -135,6 +136,8 @@ export default {
newValue = `${placeholder.delimiter}${key}${placeholder.delimiter}`; newValue = `${placeholder.delimiter}${key}${placeholder.delimiter}`;
} }
newValue = escapeExpression(newValue);
cooked.querySelectorAll(VALID_TAGS).forEach((elem, index) => { cooked.querySelectorAll(VALID_TAGS).forEach((elem, index) => {
const mapping = mappings[index]; const mapping = mappings[index];