Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

馃悰Fixed XSS vulnerability involving post excerpts #17190

Merged
merged 4 commits into from Dec 13, 2023
Merged

馃悰Fixed XSS vulnerability involving post excerpts #17190

merged 4 commits into from Dec 13, 2023

Conversation

joeldesante
Copy link
Contributor

@joeldesante joeldesante commented Jul 4, 2023
edited

fixes #17058

  • Uses the lodash escape function.
  • Avoids XSS vulnerabilities in post excerpts.

馃 Generated by Copilot at d347a0a

Fixed a security issue by escaping excerpt text in excerpt.js. This prevents malicious HTML or scripts from being rendered in the post summaries.

@joeldesante joeldesante marked this pull request as ready for review July 4, 2023 01:52
@joeldesante @daniellockyer
馃悰Fixed XSS vulnerability involving post excerpts
a888804 
fixes TryGhost#17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
@joeldesante
Copy link
Contributor Author

joeldesante commented Jul 16, 2023
edited

Hi @daniellockyer

I see you merged my patch into a branch somewhere outside of this repo. I was wondering if you had any comments on this PR?

This is my first time submitting a PR to this repository (or any non-personal repository for that matter) so I am unfamiliar with what the process is to have my PR accepted and merged.

Is there anything more I need to do?

Thanks, Joel

@9larsons 9larsons merged commit dc7e2b9 into TryGhost:main Dec 13, 2023
20 checks passed
@9larsons
Copy link
Contributor

@joeldesante thanks for the contribution! Sorry for letting this one sit.

@joeldesante
Copy link
Contributor Author

Not a problem at all! Thanks!

yunaycompany pushed a commit to yunaycompany/Ghost that referenced this pull request Dec 14, 2023
@joeldesante @yunaycompany
馃悰Fixed XSS vulnerability involving post excerpts (TryGhost#17190)
64d6771 
closes TryGhost#17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
@joeldesante joeldesante deleted the XSS-patch branch January 30, 2024 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Code blocks are not sanitized during excerpt generation. Unintended script execution possible.
2 participants
@joeldesante @9larsons