Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: escape quotes in tag description when rendering (#19730)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
  • Loading branch information
tgxworld and danielwaterworth committed Jan 4, 2023
1 parent cbcf8a0 commit 6923298
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app/assets/javascripts/discourse/app/lib/render-tag.js
Expand Up @@ -2,6 +2,7 @@ import User from "discourse/models/user";
import { escapeExpression } from "discourse/lib/utilities";
import getURL from "discourse-common/lib/get-url";
import { helperContext } from "discourse-common/lib/helpers";
import { escape } from "pretty-text/sanitizer";

let _renderer = defaultRenderTag;

Expand Down Expand Up @@ -44,7 +45,7 @@ export function defaultRenderTag(tag, params) {
href +
" data-tag-name=" +
tag +
(params.description ? ' title="' + params.description + '" ' : "") +
(params.description ? ' title="' + escape(params.description) + '" ' : "") +
" class='" +
classes.join(" ") +
"'>" +
Expand Down

0 comments on commit 6923298

Please sign in to comment.