SECURITY: prevents XSS in local-dates

plugins/discourse-local-dates/assets/javascripts/discourse-local-dates.js

@@ -46,10 +46,7 @@
 
       var html = "<span>";
       html += "<i class='fa fa-globe d-icon d-icon-globe'></i>";
-      html += relativeTime.replace(
+      html += "<span class='relative-time'></span>";
-        "TZ",
-        _formatTimezone(moment.tz.guess()).join(": ")
-      );
       html += "</span>";
 
       var joinedPreviews = previews.join(" – ");
@@ -58,7 +55,14 @@
         .html(html)
         .attr("title", joinedPreviews)
         .attr("data-tooltip", joinedPreviews)
-        .addClass("cooked");
+        .addClass("cooked")
+        .find(".relative-time")
+        .text(
+          relativeTime.replace(
+            "TZ",
+            _formatTimezone(moment.tz.guess()).join(": ")
+          )
+        );
 
       if (repeat) {
         this.timeout = setTimeout(function() {

plugins/discourse-local-dates/assets/javascripts/lib/discourse-markdown/discourse-local-dates.js.es6

@@ -25,13 +25,17 @@ function addLocalDate(buffer, matches, state) {
   token = new state.Token("span_open", "span", 1);
   token.attrs = [
     ["class", "discourse-local-date"],
-    ["data-date", config.date],
+    ["data-date", state.md.utils.escapeHtml(config.date)],
-    ["data-time", config.time],
+    ["data-time", state.md.utils.escapeHtml(config.time)],
-    ["data-format", config.format],
+    ["data-format", state.md.utils.escapeHtml(config.format)],
-    ["data-timezones", config.timezones]
+    ["data-timezones", state.md.utils.escapeHtml(config.timezones)]
   ];
+
   if (config.recurring) {
-    token.attrs.push(["data-recurring", config.recurring]);
+    token.attrs.push([
+      "data-recurring",
+      state.md.utils.escapeHtml(config.recurring)
+    ]);
   }
   buffer.push(token);