SECURITY: Remove XSS in composer preview when applying image scale buttons.

SECURITY: Remove XSS in composer preview when applying image scale buttons.

diff --git a/app/assets/javascripts/discourse/components/composer-editor.js.es6 b/app/assets/javascripts/discourse/components/composer-editor.js.es6
index c73d364..e477d52 100644
--- a/app/assets/javascripts/discourse/components/composer-editor.js.es6
+++ b/app/assets/javascripts/discourse/components/composer-editor.js.es6
@@ -878,15 +878,13 @@ export default Ember.Component.extend({
     if ($preview.find(".codeblock-image").length === 0) {
       this.$(".d-editor-preview *")
         .contents()
-        .filter(function() {
-          return this.nodeType === 3; // TEXT_NODE
-        })
         .each(function() {
-          $(this).replaceWith(
-            $(this)
-              .text()
-              .replace(imageScaleRegex, "<span class='codeblock-image'>$&</a>")
-          );
+          if (this.nodeType !== 3) return; // TEXT_NODE
+          const $this = $(this);
+
+          if ($this.text().match(imageScaleRegex)) {
+            $this.wrap("<span class='codeblock-image'></span>");
+          }
         });
     }
 
diff --git a/test/javascripts/acceptance/composer-test.js.es6 b/test/javascripts/acceptance/composer-test.js.es6
index e205592..cc8b5e1 100644
--- a/test/javascripts/acceptance/composer-test.js.es6
+++ b/test/javascripts/acceptance/composer-test.js.es6
@@ -754,4 +754,20 @@ QUnit.test("Image resizing buttons", async assert => {
   uploads[9] = "![identicalImage|300x300,75%](upload://identicalImage.png)";
   await click(find(".button-wrapper .scale-btn[data-scale='75']")[5]);
   assertImageResized(assert, uploads);
+
+  await fillIn(
+    ".d-editor-input",
+    `
+![test|690x313](upload://test.png)
+
+\`<script>alert("xss")</script>\`
+    `
+  );
+
+  await triggerEvent($(".d-editor-preview img"), "mouseover");
+
+  assert.ok(
+    find("script").length === 0,
+    "it does not unescapes script tags in code blocks"
+  );
 });

GitHub sha: 33fa249f

2 Likes