github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: escape title HTML for inline onebox

Browse Source
This commit is contained in:
Sam
2019-01-10 12:02:05 +11:00
parent c85b9c6ed3
commit 35b59cfa78
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cooked_post_processor.rb
View File

@ -655,7 +655,7 @@ class CookedPostProcessor
)
if title = inline_onebox&.dig(:title)
element.children = title
element.children = CGI.escapeHTML(title)
element.add_class(INLINE_ONEBOX_CSS_CLASS)
end