add extra escaping when using htmlSafe on user input (#469)

no issue
- ensure that we always pre-escape user input when it's used within `htmlSafe` marked output

app/components/gh-posts-list-item.js

@@ -9,7 +9,7 @@ import ActiveLinkWrapper from 'ghost-admin/mixins/active-link-wrapper';
 import {invokeAction} from 'ember-invoke-action';
 
 // ember-cli-shims doesn't export these
-const {ObjectProxy, PromiseProxyMixin} = Ember;
+const {Handlebars, ObjectProxy, PromiseProxyMixin} = Ember;
 
 const ObjectPromiseProxy = ObjectProxy.extend(PromiseProxyMixin);
 
@@ -37,7 +37,9 @@ export default Component.extend(ActiveLinkWrapper, {
     }),
 
     authorAvatarBackground: computed('authorAvatar', function () {
-        return htmlSafe(`background-image: url(${this.get('authorAvatar')})`);
+        let authorAvatar = this.get('authorAvatar');
+        let safeUrl = Handlebars.Utils.escapeExpression(authorAvatar);
+        return htmlSafe(`background-image: url(${safeUrl})`);
     }),
 
     blogTimezone: computed('timeZone.blogTimezone', function () {

app/components/gh-tag-settings-form.js

@@ -65,6 +65,7 @@ export default Component.extend({
 
         if (seoURL.length > 70) {
             seoURL = seoURL.substring(0, 70).trim();
+            seoURL = Handlebars.Utils.escapeExpression(seoURL);
             seoURL = htmlSafe(`${seoURL}…`);
         }
 

app/components/gh-user-active.js

@@ -1,8 +1,12 @@
+import Ember from 'ember';
 import Component from 'ember-component';
 import computed from 'ember-computed';
 import injectService from 'ember-service/inject';
 import {htmlSafe} from 'ember-string';
 
+// ember-cli-shims doesn't export these
+const {Handlebars} = Ember;
+
 export default Component.extend({
     tagName: '',
 
@@ -16,8 +20,9 @@ export default Component.extend({
 
     userImageBackground: computed('user.image', 'userDefault', function () {
         let url = this.get('user.image') || this.get('userDefault');
+        let safeUrl = Handlebars.Utils.escapeExpression(url);
 
-        return htmlSafe(`background-image: url(${url})`);
+        return htmlSafe(`background-image: url(${safeUrl})`);
     }),
 
     lastLoginUTC: computed('user.lastLoginUTC', function () {

app/controllers/post-settings-menu.js

@@ -113,6 +113,7 @@ export default Controller.extend(SettingsMenuMixin, {
 
         if (seoURL.length > 70) {
             seoURL = seoURL.substring(0, 70).trim();
+            seoURL = Handlebars.Utils.escapeExpression(seoURL);
             seoURL = htmlSafe(`${seoURL}…`);
         }
 

app/controllers/team/user.js

@@ -1,3 +1,4 @@
+import Ember from 'ember';
 import Controller from 'ember-controller';
 import computed, {alias, and, not, or, readOnly} from 'ember-computed';
 import injectService from 'ember-service/inject';
@@ -10,6 +11,9 @@ import {task, taskGroup} from 'ember-concurrency';
 import isNumber from 'ghost-admin/utils/isNumber';
 import boundOneWay from 'ghost-admin/utils/bound-one-way';
 
+// ember-cli-shims doesn't export this
+const {Handlebars} = Ember;
+
 export default Controller.extend({
     showDeleteUserModal: false,
     showTransferOwnerModal: false,
@@ -62,8 +66,9 @@ export default Controller.extend({
 
     userImageBackground: computed('user.image', 'userDefault', function () {
         let url = this.get('user.image') || this.get('userDefault');
+        let safeUrl = Handlebars.Utils.escapeExpression(url);
 
-        return htmlSafe(`background-image: url(${url})`);
+        return htmlSafe(`background-image: url(${safeUrl})`);
     }),
     // end duplicated
 
@@ -73,8 +78,9 @@ export default Controller.extend({
 
     coverImageBackground: computed('user.cover', 'coverDefault', function () {
         let url = this.get('user.cover') || this.get('coverDefault');
+        let safeUrl = Handlebars.Utils.escapeExpression(url);
 
-        return htmlSafe(`background-image: url(${url})`);
+        return htmlSafe(`background-image: url(${safeUrl})`);
     }),
 
     coverTitle: computed('user.name', function () {