Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-13 22:41:32 -05:00
Code Issues Activity

Merge pull request #4964 from ErisDS/xss-fix

Browse source 
Mark html notifications as html-safe, else escape
This commit is contained in:
Matt Enlow 2015-02-28 09:41:58 -07:00
commit 05a0dda344
3 changed files with 9 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
core/client/mixins/editor-base-controller.js
View file

@ -197,7 +197,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
if (status === 'published') { if (status === 'published') {
message += '&nbsp;<a href="' + path + '">View ' + this.get('postOrPage') + '</a>'; message += '&nbsp;<a href="' + path + '">View ' + this.get('postOrPage') + '</a>';
} }
this.notifications.showSuccess(message, {delayed: delay}); this.notifications.showSuccess(message.htmlSafe(), {delayed: delay});
}, },
showErrorNotification: function (prevStatus, status, errors, delay) { showErrorNotification: function (prevStatus, status, errors, delay) {
@ -206,7 +206,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
message += '<br />' + error; message += '<br />' + error;
this.notifications.showError(message, {delayed: delay}); this.notifications.showError(message.htmlSafe(), {delayed: delay});
}, },
shouldFocusTitle: Ember.computed.alias('model.isNew'), shouldFocusTitle: Ember.computed.alias('model.isNew'),

9
core/client/mixins/validation-engine.js
View file

@ -29,12 +29,15 @@ function formatErrors(errors, opts) {
// get the validator's error messages from the array. // get the validator's error messages from the array.
// normalize array members to map to strings. // normalize array members to map to strings.
message = errors.map(function (error) { message = errors.map(function (error) {
var errorMessage;
if (typeof error === 'string') { if (typeof error === 'string') {
return error; errorMessage = error;
} else {
errorMessage = error.message;
} }
return error.message; return Ember.Handlebars.Utils.escapeExpression(errorMessage);
}).join('<br />'); }).join('<br />').htmlSafe();
} else if (errors instanceof Error) { } else if (errors instanceof Error) {
message += errors.message || '.'; message += errors.message || '.';
} else if (typeof errors === 'object') { } else if (typeof errors === 'object') {

2
core/client/templates/components/gh-notification.hbs
View file

@ -1,6 +1,6 @@
<section {{bind-attr class=":js-notification typeClass"}}> <section {{bind-attr class=":js-notification typeClass"}}>
<span class="notification-message"> <span class="notification-message">
{{{message.message}}} {{message.message}}
</span> </span>
<button class="close" {{action "closeNotification"}}><span class="hidden">Close</span></button> <button class="close" {{action "closeNotification"}}><span class="hidden">Close</span></button>
</section> </section>