SECURITY: XSS with title selector on preferences page

SECURITY: XSS with title selector on preferences page

Note this is very low severity as the group needs to be created with a default title that contains HTML, and group creation is restricted to staff members right now.

diff --git a/app/assets/javascripts/discourse/models/user.js.es6 b/app/assets/javascripts/discourse/models/user.js.es6
index fee74ec..9beef8e 100644
--- a/app/assets/javascripts/discourse/models/user.js.es6
+++ b/app/assets/javascripts/discourse/models/user.js.es6
@@ -748,7 +748,9 @@ const User = RestModel.extend({
       }
     });
 
-    return _.uniq(titles).sort();
+    return _.uniq(titles)
+      .sort()
+      .map(Ember.Handlebars.Utils.escapeExpression);
   },
 
   @computed("user_option.text_size_seq", "user_option.text_size")

GitHub sha: 629bb8ad

1 Like

Should we have a test for that?

We could, but honestly I think it’s of such little value in this case considering the severity and the challenge of writing the test.

1 Like

is this a master only issue or will it be backported to stable?

No I was just waiting for it to build and then something came up. It’s been backported now. I should note it is very low severity so there is not a huge urgency to upgrade.

1 Like

Thank you! updating the package and our instance is quite painless. it is just that I triggered my whole set of ruby packages earlier so that will take time :slight_smile:

This commit has been mentioned on Discourse Meta. There might be relevant details there: