SECURITY: prevents XSS in local-dates

2025-05-22 05:01:14 +08:00 · 2018-08-27 11:19:30 +02:00
parent cf3b7ccae2
commit 89e7d95cc7
2 changed files with 18 additions and 10 deletions
--- a/plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6
+++ b/plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6
@ -25,13 +25,17 @@ function addLocalDate(buffer, matches, state) {
  token = new state.Token("span_open", "span", 1);
  token.attrs = [
    ["class", "discourse-local-date"],
-    ["data-date", config.date],
-    ["data-time", config.time],
-    ["data-format", config.format],
-    ["data-timezones", config.timezones]
+    ["data-date", state.md.utils.escapeHtml(config.date)],
+    ["data-time", state.md.utils.escapeHtml(config.time)],
+    ["data-format", state.md.utils.escapeHtml(config.format)],
+    ["data-timezones", state.md.utils.escapeHtml(config.timezones)]
  ];
+
  if (config.recurring) {
-    token.attrs.push(["data-recurring", config.recurring]);
+    token.attrs.push([
+      "data-recurring",
+      state.md.utils.escapeHtml(config.recurring)
+    ]);
  }
  buffer.push(token);