github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 03:51:07 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: A user could XSS themselves on their preference page

Browse Source
This commit is contained in:
Robin Ward
2015-10-20 12:09:59 -04:00
parent e08c9b8c49
commit 0428bacfa9
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
test/javascripts/components/d-editor-test.js.es6
View File

@ -19,6 +19,17 @@ componentTest('preview updates with markdown', {
}
});
componentTest('preview sanitizes HTML', {
template: '{{d-editor value=value}}',
test(assert) {
this.set('value', `"><svg onload="prompt(/xss/)"></svg>`);
andThen(() => {
assert.equal(this.$('.d-editor-preview').html().trim(), '<p>\"&gt;</p>');
});
}
});
componentTest('updating the value refreshes the preview', {
template: '{{d-editor value=value}}',