2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-10-03 17:21:20 +08:00

SECURITY: Welcome banner user name XSS

Prevents malformed user names (_not_ usernames) from
rendering HTML in the welcome banner. This would only
affect the user and any admin that impersonates that
user.
This commit is contained in:
Martin Brennan 2025-07-28 14:03:30 +10:00 committed by Alan Guo Xiang Tan
parent 4edad4dc3c
commit a3374d2850
No known key found for this signature in database
GPG key ID: 286D2AB58F8C86B6
2 changed files with 17 additions and 4 deletions

View file

@ -9,6 +9,7 @@ import SearchMenu from "discourse/components/search-menu";
import bodyClass from "discourse/helpers/body-class";
import concatClass from "discourse/helpers/concat-class";
import { prioritizeNameFallback } from "discourse/lib/settings";
import { sanitize } from "discourse/lib/text";
import { defaultHomepage, escapeExpression } from "discourse/lib/utilities";
import I18n, { i18n } from "discourse-i18n";

@ -79,9 +80,8 @@ export default class WelcomeBanner extends Component {
}

return i18n("welcome_banner.header.logged_in_members", {
preferred_display_name: prioritizeNameFallback(
this.currentUser.name,
this.currentUser.username
preferred_display_name: sanitize(
prioritizeNameFallback(this.currentUser.name, this.currentUser.username)
),
});
}
@ -118,7 +118,9 @@ export default class WelcomeBanner extends Component {
get bgImgStyle() {
if (this.siteSettings.welcome_banner_image) {
return htmlSafe(
`background-image: url(${escapeExpression(this.siteSettings.welcome_banner_image)})`
`background-image: url(${escapeExpression(
this.siteSettings.welcome_banner_image
)})`
);
}
}

View file

@ -48,6 +48,17 @@ module(
}),
"banner contains the correct message for logged in users with username"
);

this.currentUser.name = "<input type='text'></input>Robin Ward";
await render(<template><WelcomeBanner /></template>);

assert.dom(".welcome-banner").containsText(
i18n("welcome_banner.header.logged_in_members", {
preferred_display_name: "Robin Ward",
}),
"banner contains the correct message for logged in users with username"
);
assert.dom(".welcome-banner .welcome-banner__title input").doesNotExist();
});
}
);