github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-03 02:48:28 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Remove XSS in composer preview when applying image scale buttons.

Browse Source
This commit is contained in:
Guo Xiang Tan
2019-04-08 11:20:28 +08:00
parent 13c6bf54d0
commit 33fa249fa5
2 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/assets/javascripts/discourse/components/composer-editor.js.es6
View File

@ -878,15 +878,13 @@ export default Ember.Component.extend({
if ($preview.find(".codeblock-image").length === 0) { if ($preview.find(".codeblock-image").length === 0) {
this.$(".d-editor-preview *") this.$(".d-editor-preview *")
.contents() .contents()
.filter(function() {
return this.nodeType === 3; // TEXT_NODE
})
.each(function() { .each(function() {
$(this).replaceWith( if (this.nodeType !== 3) return; // TEXT_NODE
$(this) const $this = $(this);
.text()
.replace(imageScaleRegex, "<span class='codeblock-image'>$&</a>") if ($this.text().match(imageScaleRegex)) {
); $this.wrap("<span class='codeblock-image'></span>");
}
}); });
} }

16
test/javascripts/acceptance/composer-test.js.es6
View File

@ -754,4 +754,20 @@ QUnit.test("Image resizing buttons", async assert => {
uploads[9] = "![identicalImage|300x300,75%](upload://identicalImage.png)"; uploads[9] = "![identicalImage|300x300,75%](upload://identicalImage.png)";
await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]); await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]);
assertImageResized(assert, uploads); assertImageResized(assert, uploads);
await fillIn(
".d-editor-input",
`
![test|690x313](upload://test.png)
\`<script>alert("xss")</script>\`
`
);
await triggerEvent($(".d-editor-preview img"), "mouseover");
assert.ok(
find("script").length === 0,
"it does not unescapes script tags in code blocks"
);
}); });