github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-03 19:39:30 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Ensure theme names are escaped in HTML attributes (#15272)

Browse Source 
If a theme name contained a double-quote, this problem could lead to invalid/unexpected HTML in the `<head>`

Note that this is not considered a security issue because themes can only be installed/named by administrators, and themes/administrators already have the ability to run arbitrary javascript.
This commit is contained in:
David Taylor
2021-12-13 10:50:09 +00:00
committed by GitHub
parent bc6bff0e5a
commit 6e9bb84d12
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
spec/components/stylesheet/manager_spec.rb
View File

@ -135,6 +135,20 @@ describe Stylesheet::Manager do
)
end
it "includes the escaped theme name" do
manager = manager(theme.id)
theme.update(name: "a strange name\"with a quote in it")
tag = manager.stylesheet_link_tag(:desktop_theme)
expect(tag).to have_tag("link", with: {
"data-theme-name" => theme.name.downcase
})
expect(tag).to have_tag("link", with: {
"data-theme-name" => child_theme.name.downcase
})
end
context "stylesheet order" do
let(:z_child_theme) do
Fabricate(:theme, component: true, name: "ze component").tap do |z|