mirror of
https://github.com/discourse/discourse.git
synced 2025-10-03 17:21:20 +08:00
SECURITY: Welcome banner user name XSS
Prevents malformed user names (_not_ usernames) from rendering HTML in the welcome banner. This would only affect the user and any admin that impersonates that user.
This commit is contained in:
parent
4edad4dc3c
commit
a3374d2850
2 changed files with 17 additions and 4 deletions
|
@ -9,6 +9,7 @@ import SearchMenu from "discourse/components/search-menu";
|
|||
import bodyClass from "discourse/helpers/body-class";
|
||||
import concatClass from "discourse/helpers/concat-class";
|
||||
import { prioritizeNameFallback } from "discourse/lib/settings";
|
||||
import { sanitize } from "discourse/lib/text";
|
||||
import { defaultHomepage, escapeExpression } from "discourse/lib/utilities";
|
||||
import I18n, { i18n } from "discourse-i18n";
|
||||
|
||||
|
@ -79,9 +80,8 @@ export default class WelcomeBanner extends Component {
|
|||
}
|
||||
|
||||
return i18n("welcome_banner.header.logged_in_members", {
|
||||
preferred_display_name: prioritizeNameFallback(
|
||||
this.currentUser.name,
|
||||
this.currentUser.username
|
||||
preferred_display_name: sanitize(
|
||||
prioritizeNameFallback(this.currentUser.name, this.currentUser.username)
|
||||
),
|
||||
});
|
||||
}
|
||||
|
@ -118,7 +118,9 @@ export default class WelcomeBanner extends Component {
|
|||
get bgImgStyle() {
|
||||
if (this.siteSettings.welcome_banner_image) {
|
||||
return htmlSafe(
|
||||
`background-image: url(${escapeExpression(this.siteSettings.welcome_banner_image)})`
|
||||
`background-image: url(${escapeExpression(
|
||||
this.siteSettings.welcome_banner_image
|
||||
)})`
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -48,6 +48,17 @@ module(
|
|||
}),
|
||||
"banner contains the correct message for logged in users with username"
|
||||
);
|
||||
|
||||
this.currentUser.name = "<input type='text'></input>Robin Ward";
|
||||
await render(<template><WelcomeBanner /></template>);
|
||||
|
||||
assert.dom(".welcome-banner").containsText(
|
||||
i18n("welcome_banner.header.logged_in_members", {
|
||||
preferred_display_name: "Robin Ward",
|
||||
}),
|
||||
"banner contains the correct message for logged in users with username"
|
||||
);
|
||||
assert.dom(".welcome-banner .welcome-banner__title input").doesNotExist();
|
||||
});
|
||||
}
|
||||
);
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue