Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-10-04 17:32:34 +08:00
Code Packages Activity Actions 10

SECURITY: Onebox templates' HTML injections.

Browse source 
The use of triple-curlies on Mustache templates opens the possibility for HTML injections.
This commit is contained in:
Roman Rizzi 2023-10-23 14:19:21 -03:00 committed by Krzysztof Kotlarek
parent 5f20748e40
commit d78357917c
4 changed files with 103 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/onebox/engine/github_issue_onebox.rb
View file

@ -36,7 +36,7 @@ module Onebox
body, excerpt = compute_body(raw["body"])
ulink = URI(link)

labels = raw["labels"].map { |l| { name: Emoji.codes_to_img(l["name"]) } }
labels = raw["labels"].map { |l| { name: Emoji.codes_to_img(CGI.escapeHTML(l["name"])) } }

{
link: @url,

10
lib/onebox/templates/discourse_category_onebox.mustache
View file

@ -6,15 +6,15 @@
<h3>
<a class="badge-wrapper bullet" href="{{url}}">
{{#color}}
<span class="badge-category-bg" style="background-color: #{{{color}}}"></span>
<span class="badge-category-bg" style="background-color: #{{color}}"></span>
{{/color}}
<span class="clear-badge"><span>{{{name}}}</span></span>
<span class="clear-badge"><span>{{name}}</span></span>
</a>
</h3>
{{#description}}
<div>
<span class="description">
<p>{{{description}}}</p>
<p>{{description}}</p>
</span>
</div>
{{/description}}
@ -23,8 +23,8 @@
{{#subcategories}}
<span class="subcategory">
<a class="badge-wrapper bullet" href="{{url}}">
<span class="badge-category-bg" style="background-color: #{{{color}}}"></span>
<span class="badge-category clear-badge"><span class="category-name">{{{name}}}</span></span>
<span class="badge-category-bg" style="background-color: #{{color}}"></span>
<span class="badge-category clear-badge"><span class="category-name">{{name}}</span></span>
</a>
</span>
{{/subcategories}}