mirror of
https://github.com/discourse/discourse.git
synced 2025-05-29 01:31:35 +08:00
SECURITY: Remove XSS in composer preview when applying image scale buttons.
This commit is contained in:
@ -754,4 +754,20 @@ QUnit.test("Image resizing buttons", async assert => {
|
||||
uploads[9] = "";
|
||||
await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]);
|
||||
assertImageResized(assert, uploads);
|
||||
|
||||
await fillIn(
|
||||
".d-editor-input",
|
||||
`
|
||||

|
||||
|
||||
\`<script>alert("xss")</script>\`
|
||||
`
|
||||
);
|
||||
|
||||
await triggerEvent($(".d-editor-preview img"), "mouseover");
|
||||
|
||||
assert.ok(
|
||||
find("script").length === 0,
|
||||
"it does not unescapes script tags in code blocks"
|
||||
);
|
||||
});
|
||||
|
Reference in New Issue
Block a user