Commit c33ceff6 authored by Tim Zallmann's avatar Tim Zallmann Committed by Jose Ivan Vargas

Fixes vulnerability in posting a comment in the temporary rendering

parent 1e878fd7
...@@ -1274,16 +1274,16 @@ export default class Notes { ...@@ -1274,16 +1274,16 @@ export default class Notes {
`<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry"> `<li id="${uniqueId}" class="note being-posted fade-in-half timeline-entry">
<div class="timeline-entry-inner"> <div class="timeline-entry-inner">
<div class="timeline-icon"> <div class="timeline-icon">
<a href="/${currentUsername}"> <a href="/${_.escape(currentUsername)}">
<img class="avatar s40" src="${currentUserAvatar}" /> <img class="avatar s40" src="${currentUserAvatar}" />
</a> </a>
</div> </div>
<div class="timeline-content ${discussionClass}"> <div class="timeline-content ${discussionClass}">
<div class="note-header"> <div class="note-header">
<div class="note-header-info"> <div class="note-header-info">
<a href="/${currentUsername}"> <a href="/${_.escape(currentUsername)}">
<span class="hidden-xs">${currentUserFullname}</span> <span class="hidden-xs">${_.escape(currentUserFullname)}</span>
<span class="note-headline-light">@${currentUsername}</span> <span class="note-headline-light">@${_.escape(currentUsername)}</span>
</a> </a>
</div> </div>
</div> </div>
......
...@@ -768,6 +768,21 @@ import '~/notes'; ...@@ -768,6 +768,21 @@ import '~/notes';
expect($tempNote.prop('nodeName')).toEqual('LI'); expect($tempNote.prop('nodeName')).toEqual('LI');
expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy(); expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy();
}); });
it('should return a escaped user name', () => {
const currentUserNameXSS = 'Foo <script>alert("XSS")</script>';
const $tempNote = this.notes.createPlaceholderNote({
formContent: sampleComment,
uniqueId,
isDiscussionNote: false,
currentUsername,
currentUserNameXSS,
currentUserAvatar,
});
const $tempNoteHeader = $tempNote.find('.note-header');
expect($tempNoteHeader.find('.hidden-xs').text().trim()).toEqual('Foo &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;');
});
}); });
describe('createPlaceholderSystemNote', () => { describe('createPlaceholderSystemNote', () => {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment