Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (
…#19726)

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
  • Loading branch information
tgxworld and danielwaterworth committed Jan 4, 2023
1 parent ab3a032 commit c0e2d7b
Showing 1 changed file with 15 additions and 3 deletions.
@@ -1,14 +1,26 @@
import DiscourseRoute from "discourse/routes/discourse";
import { emojiUnescape } from "discourse/lib/text";
import { escapeExpression } from "discourse/lib/utilities";

export default DiscourseRoute.extend({
beforeModel() {
this.username = this.modelFor("user").username_lower;
},

model() {
return this.store.findAll("pending-post", {
username: this.username,
});
return this.store
.findAll("pending-post", {
username: this.username,
})
.then((pendingPosts) => {
for (let pendingPost of pendingPosts.content) {
pendingPost.title = emojiUnescape(
escapeExpression(pendingPost.title)
);
}

return pendingPosts;
});
},

activate() {
Expand Down

0 comments on commit c0e2d7b

Please sign in to comment.