Skip to content
This repository has been archived by the owner on Feb 6, 2023. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Ensure channel name and description are always escaped. (#1280
)
  • Loading branch information
romanrizzi committed Oct 5, 2022
1 parent bfee64a commit 2573773
Show file tree
Hide file tree
Showing 8 changed files with 22 additions and 19 deletions.
Expand Up @@ -14,7 +14,6 @@ import {
} from "discourse/plugins/discourse-chat/discourse/components/chat-to-topic-selector";
import { CHANNEL_STATUSES } from "discourse/plugins/discourse-chat/discourse/models/chat-channel";
import { htmlSafe } from "@ember/template";
import { escapeExpression } from "discourse/lib/utilities";

export default Component.extend({
chat: service(),
Expand Down Expand Up @@ -108,7 +107,7 @@ export default Component.extend({
instructionsText() {
return htmlSafe(
I18n.t("chat.channel_archive.instructions", {
channelTitle: escapeExpression(this.chatChannel.title),
channelTitle: this.chatChannel.escapedTitle,
})
);
},
Expand Down
Expand Up @@ -8,7 +8,6 @@ import { inject as service } from "@ember/service";
import { popupAjaxError } from "discourse/lib/ajax-error";
import discourseLater from "discourse-common/lib/later";
import { htmlSafe } from "@ember/template";
import { escapeExpression } from "discourse/lib/utilities";

export default Component.extend({
chat: service(),
Expand All @@ -27,8 +26,8 @@ export default Component.extend({

if (
isEmpty(channelNameConfirmation) ||
escapeExpression(channelNameConfirmation).toLowerCase() !==
this.escapedTitle.toLowerCase()
channelNameConfirmation.toLowerCase() !==
this.chatChannel.title.toLowerCase()
) {
return true;
}
Expand Down Expand Up @@ -62,13 +61,8 @@ export default Component.extend({
instructionsText() {
return htmlSafe(
I18n.t("chat.channel_delete.instructions", {
name: this.escapedTitle,
name: this.chatChannel.escapedTitle,
})
);
},

@discourseComputed()
escapedTitle() {
return escapeExpression(this.chatChannel.title);
},
});
Expand Up @@ -7,7 +7,6 @@ import { ajax } from "discourse/lib/ajax";
import { inject as service } from "@ember/service";
import { popupAjaxError } from "discourse/lib/ajax-error";
import { htmlSafe } from "@ember/template";
import { escapeExpression } from "discourse/lib/utilities";

export default class MoveToChannelModalInner extends Component {
@service chat;
Expand Down Expand Up @@ -58,7 +57,7 @@ export default class MoveToChannelModalInner extends Component {
get instructionsText() {
return htmlSafe(
I18n.t("chat.move_to_channel.instructions", {
channelTitle: escapeExpression(this.sourceChannel.title),
channelTitle: this.sourceChannel.escapedTitle,
count: this.selectedMessageCount,
})
);
Expand Down
4 changes: 2 additions & 2 deletions assets/javascripts/discourse/initializers/chat-sidebar.js
Expand Up @@ -78,7 +78,7 @@ export default {
}

get title() {
return escapeExpression(this.channel.title);
return this.channel.escapedTitle;
}

get text() {
Expand Down Expand Up @@ -242,7 +242,7 @@ export default {
}

get title() {
return escapeExpression(this.channel.title);
return this.channel.escapedTitle;
}

get oneOnOneMessage() {
Expand Down
11 changes: 11 additions & 0 deletions assets/javascripts/discourse/models/chat-channel.js
Expand Up @@ -4,6 +4,7 @@ import { computed } from "@ember/object";
import User from "discourse/models/user";
import UserChatChannelMembership from "discourse/plugins/discourse-chat/discourse/models/user-chat-channel-membership";
import { ajax } from "discourse/lib/ajax";
import { escapeExpression } from "discourse/lib/utilities";

export const CHATABLE_TYPES = {
directMessageChannel: "DirectMessageChannel",
Expand Down Expand Up @@ -62,6 +63,16 @@ export default class ChatChannel extends RestModel {
isDraft = false;
lastSendReadMessageId = null;

@computed("title")
get escapedTitle() {
return escapeExpression(this.title);
}

@computed("description")
get escapedDescription() {
return escapeExpression(this.description);
}

@computed("chatable_type")
get isDirectMessageChannel() {
return this.chatable_type === CHATABLE_TYPES.directMessageChannel;
Expand Down
Expand Up @@ -27,7 +27,7 @@
</label>
<div class="chat-form__control">
<div class="channel-info-about-view__title">
{{replace-emoji channel.title}}
{{replace-emoji channel.escapedTitle}}
</div>
</div>
</div>
Expand Down
Expand Up @@ -24,7 +24,7 @@
class="chat-channel-card__name-container"
}}
<span class="chat-channel-card__name">
{{replace-emoji channel.title}}
{{replace-emoji channel.escapedTitle}}
</span>
{{#if channel.chatable.read_restricted}}
{{d-icon "lock" class="chat-channel-card__read-restricted"}}
Expand All @@ -33,7 +33,7 @@

{{#if channel.description}}
<div class="chat-channel-card__description">
{{replace-emoji channel.description}}
{{replace-emoji channel.escapedDescription}}
</div>
{{/if}}

Expand Down
Expand Up @@ -44,7 +44,7 @@
{{/if}}
</span>
<span class="chat-channel-title__name">
{{replace-emoji channel.title}}
{{replace-emoji channel.escapedTitle}}
</span>

{{#if (has-block)}}
Expand Down

0 comments on commit 2573773

Please sign in to comment.