github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 04:41:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions

Browse Source
This commit is contained in:
Robin Ward
2016-07-28 11:36:48 -04:00
parent 85a91c8b81
commit 2f8ab8cd30
5 changed files with 1694 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/controllers/session_controller.rb
View File

@ -291,7 +291,8 @@ class SessionController < ApplicationController
message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended"
render json: {
error: I18n.t(message, { date: I18n.l(user.suspended_till, format: :date_only), reason: user.suspend_reason}),
error: I18n.t(message, { date: I18n.l(user.suspended_till, format: :date_only),
reason: Rack::Utils.escape_html(user.suspend_reason) }),
reason: 'suspended'
}
end