Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CVE-2018-9987: Fix XSS issue with muting notifications. 

This fixes an XSS issue with Zulip's muting UI, where if a stream or
topic name contained malicious HTML containing JavaScript, and the
user did a muting interaction, the malicious JavaScript could run when
rendering the "you just muted a topic" notification.

We did an audit for similarly problematic use of `.html`, and found
none; for the next release we'll be merging a series of changes to our
linter to prevent future instances of this being added.

Thanks to Suhas Sunil Gaikwad for reporting this issue.
This commit is contained in:
Tim Abbott 2018-03-22 12:47:38 -07:00
parent 92a04b31a0
commit 1207a08b36
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
static/js/muting_ui.js
View File

@ -70,8 +70,8 @@ exports.notify_with_undo_option = (function () {
// add a four second delay before closing up.
meta.hide_me_time = new Date().getTime() + 4000;
meta.$mute.find(".topic").html(topic);
meta.$mute.find(".stream").html(stream);
meta.$mute.find(".topic").text(topic);
meta.$mute.find(".stream").text(stream);
animate.fadeIn();