github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-06 11:36:01 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: XSS when displaying watched words in admin panel.

Browse Source 
The XSS here is only possible if CSP is disabled. Low impact since CSP
is enabled by default in SiteSettings.
This commit is contained in:
Guo Xiang Tan
2019-07-15 10:55:50 +08:00
parent a4234e9be0
commit 4b0cf7f6dd
3 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/admin/components/admin-watched-word.js.es6
View File

@ -1,5 +1,6 @@
import { iconHTML } from "discourse-common/lib/icon-library";
import { bufferedRender } from "discourse-common/lib/buffered-render";
import { escapeExpression } from "discourse/lib/utilities";
export default Ember.Component.extend(
bufferedRender({
@ -7,7 +8,7 @@ export default Ember.Component.extend(
buildBuffer(buffer) {
buffer.push(iconHTML("times"));
buffer.push(" " + this.get("word.word"));
buffer.push(` ${escapeExpression(this.get("word.word"))}`);
},
click() {