SECURITY: XSS on chat excerpts

Non-markdown tags weren't being escaped in chat excerpts. This could be triggered by editing a chat message containing a tag (self XSS), or by replying to a chat message with a tag (XSS). Co-authored-by: Jan Cernik <jancernik12@gmail.com>
2025-05-22 22:43:33 +08:00 · 2023-03-16 13:40:43 -06:00
parent fd16eade7f
commit a373bf2a01
10 changed files with 68 additions and 9 deletions
--- a/plugins/chat/assets/javascripts/discourse/components/chat-channel-about-view.hbs
+++ b/plugins/chat/assets/javascripts/discourse/components/chat-channel-about-view.hbs
@ -31,7 +31,7 @@
    </label>
    <div class="chat-form__control">
      <div class="channel-info-about-view__name">
-        {{replace-emoji this.channel.escapedTitle}}
+        {{replace-emoji this.channel.title}}
      </div>
      <div class="channel-info-about-view__slug">
        {{this.channel.slug}}
--- a/plugins/chat/assets/javascripts/discourse/components/chat-channel-card.hbs
+++ b/plugins/chat/assets/javascripts/discourse/components/chat-channel-card.hbs
@ -15,7 +15,7 @@
        class="chat-channel-card__name-container"
      >
        <span class="chat-channel-card__name">
-          {{replace-emoji @channel.escapedTitle}}
+          {{replace-emoji @channel.title}}
        </span>
        {{#if @channel.chatable.read_restricted}}
          {{d-icon "lock" class="chat-channel-card__read-restricted"}}
@ -47,7 +47,7 @@

    {{#if @channel.description}}
      <div class="chat-channel-card__description">
-        {{replace-emoji @channel.escapedDescription}}
+        {{replace-emoji @channel.description}}
      </div>
    {{/if}}

--- a/plugins/chat/assets/javascripts/discourse/components/chat-channel-title.hbs
+++ b/plugins/chat/assets/javascripts/discourse/components/chat-channel-title.hbs
@ -59,7 +59,7 @@
        {{/if}}
      </span>
      <span class="chat-channel-title__name">
-        {{replace-emoji this.channel.escapedTitle}}
+        {{replace-emoji this.channel.title}}
      </span>

      {{#if (has-block)}}
--- a/plugins/chat/spec/system/chat_channel_spec.rb
+++ b/plugins/chat/spec/system/chat_channel_spec.rb
@ -189,6 +189,34 @@ RSpec.describe "Chat channel", type: :system, js: true do
    end
  end

+  context "when replying to message that has tags" do
+    fab!(:other_user) { Fabricate(:user) }
+    fab!(:message_2) do
+      Fabricate(
+        :chat_message,
+        user: other_user,
+        chat_channel: channel_1,
+        message: "<mark>not marked</mark>",
+      )
+    end
+
+    before do
+      Fabricate(:chat_message, user: other_user, chat_channel: channel_1)
+      Fabricate(:chat_message, in_reply_to: message_2, user: current_user, chat_channel: channel_1)
+      channel_1.add(other_user)
+      channel_1.add(current_user)
+      sign_in(current_user)
+    end
+
+    it "escapes the reply-to line" do
+      chat.visit_channel(channel_1)
+
+      expect(find(".chat-reply .chat-reply__excerpt")["innerHTML"].strip).to eq(
+        "&lt;mark&gt;not marked&lt;/mark&gt;",
+      )
+    end
+  end
+
  context "when messages are separated by a day" do
    before do
      Fabricate(:chat_message, chat_channel: channel_1, created_at: 2.days.ago)