nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix sa mall possible xss in personImage handlebar helpers if the attacker had access to your root domain. fixes #3392

Browse source
This commit is contained in:
Maxwell Salzberg 2012-06-16 14:59:51 -07:00
parent ab28c53626
commit d3487c8b7d
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/assets/javascripts/app/helpers/handlebars-helpers.js
View file

@ -22,5 +22,5 @@ Handlebars.registerHelper('personImage', function(person, size, imageClass) {
size = (typeof(size) != "string" ? "small" : size); size = (typeof(size) != "string" ? "small" : size);
imageClass = (typeof(imageClass) != "string" ? size : imageClass); imageClass = (typeof(imageClass) != "string" ? size : imageClass);
return "<img src=\"" + person.avatar[size] +"\" class=\"avatar " + imageClass + "\" title=\"" + person.name +"\" />"; return "<img src=\"" + person.avatar[size] +"\" class=\"avatar " + imageClass + "\" title=\"" + _.escape(person.name) +"\" />";
}) })