From 89e7d95cc768d3911fcc012c77f591d767cf792e Mon Sep 17 00:00:00 2001
From: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Date: Mon, 27 Aug 2018 11:19:30 +0200
Subject: [PATCH] SECURITY: prevents XSS in local-dates

---
 .../assets/javascripts/discourse-local-dates.js    | 14 +++++++++-----
 .../discourse-local-dates.js.es6                   | 14 +++++++++-----
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/plugins/discourse-local-dates/assets/javascripts/discourse-local-dates.js b/plugins/discourse-local-dates/assets/javascripts/discourse-local-dates.js
index 9870b99b227..9e4583166e0 100644
--- a/plugins/discourse-local-dates/assets/javascripts/discourse-local-dates.js
+++ b/plugins/discourse-local-dates/assets/javascripts/discourse-local-dates.js
@@ -46,10 +46,7 @@
 
       var html = "<span>";
       html += "<i class='fa fa-globe d-icon d-icon-globe'></i>";
-      html += relativeTime.replace(
-        "TZ",
-        _formatTimezone(moment.tz.guess()).join(": ")
-      );
+      html += "<span class='relative-time'></span>";
       html += "</span>";
 
       var joinedPreviews = previews.join(" – ");
@@ -58,7 +55,14 @@
         .html(html)
         .attr("title", joinedPreviews)
         .attr("data-tooltip", joinedPreviews)
-        .addClass("cooked");
+        .addClass("cooked")
+        .find(".relative-time")
+        .text(
+          relativeTime.replace(
+            "TZ",
+            _formatTimezone(moment.tz.guess()).join(": ")
+          )
+        );
 
       if (repeat) {
         this.timeout = setTimeout(function() {
diff --git a/plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6 b/plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6
index bb32e9d3034..6545aab6b3f 100644
--- a/plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6
+++ b/plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6
@@ -25,13 +25,17 @@ function addLocalDate(buffer, matches, state) {
   token = new state.Token("span_open", "span", 1);
   token.attrs = [
     ["class", "discourse-local-date"],
-    ["data-date", config.date],
-    ["data-time", config.time],
-    ["data-format", config.format],
-    ["data-timezones", config.timezones]
+    ["data-date", state.md.utils.escapeHtml(config.date)],
+    ["data-time", state.md.utils.escapeHtml(config.time)],
+    ["data-format", state.md.utils.escapeHtml(config.format)],
+    ["data-timezones", state.md.utils.escapeHtml(config.timezones)]
   ];
+
   if (config.recurring) {
-    token.attrs.push(["data-recurring", config.recurring]);
+    token.attrs.push([
+      "data-recurring",
+      state.md.utils.escapeHtml(config.recurring)
+    ]);
   }
   buffer.push(token);