0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-13 22:41:32 -05:00

Merge pull request #4964 from ErisDS/xss-fix

Mark html notifications as html-safe, else escape
This commit is contained in:
Matt Enlow 2015-02-28 09:41:58 -07:00
commit 05a0dda344
3 changed files with 9 additions and 6 deletions

View file

@ -197,7 +197,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
if (status === 'published') {
message += '&nbsp;<a href="' + path + '">View ' + this.get('postOrPage') + '</a>';
}
this.notifications.showSuccess(message, {delayed: delay});
this.notifications.showSuccess(message.htmlSafe(), {delayed: delay});
},
showErrorNotification: function (prevStatus, status, errors, delay) {
@ -206,7 +206,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
message += '<br />' + error;
this.notifications.showError(message, {delayed: delay});
this.notifications.showError(message.htmlSafe(), {delayed: delay});
},
shouldFocusTitle: Ember.computed.alias('model.isNew'),

View file

@ -29,12 +29,15 @@ function formatErrors(errors, opts) {
// get the validator's error messages from the array.
// normalize array members to map to strings.
message = errors.map(function (error) {
var errorMessage;
if (typeof error === 'string') {
return error;
errorMessage = error;
} else {
errorMessage = error.message;
}
return error.message;
}).join('<br />');
return Ember.Handlebars.Utils.escapeExpression(errorMessage);
}).join('<br />').htmlSafe();
} else if (errors instanceof Error) {
message += errors.message || '.';
} else if (typeof errors === 'object') {

View file

@ -1,6 +1,6 @@
<section {{bind-attr class=":js-notification typeClass"}}>
<span class="notification-message">
{{{message.message}}}
{{message.message}}
</span>
<button class="close" {{action "closeNotification"}}><span class="hidden">Close</span></button>
</section>