CVE-2018-9987: Fix XSS issue with muting notifications.

This fixes an XSS issue with Zulip's muting UI, where if a stream or
topic name contained malicious HTML containing JavaScript, and the
user did a muting interaction, the malicious JavaScript could run when
rendering the "you just muted a topic" notification.

We did an audit for similarly problematic use of `.html`, and found
none; for the next release we'll be merging a series of changes to our
linter to prevent future instances of this being added.

Thanks to Suhas Sunil Gaikwad for reporting this issue.
This commit is contained in:
Tim Abbott 2018-03-22 12:47:38 -07:00
parent 92a04b31a0
commit 1207a08b36
1 changed files with 2 additions and 2 deletions

View File

@ -70,8 +70,8 @@ exports.notify_with_undo_option = (function () {
// add a four second delay before closing up. // add a four second delay before closing up.
meta.hide_me_time = new Date().getTime() + 4000; meta.hide_me_time = new Date().getTime() + 4000;
meta.$mute.find(".topic").html(topic); meta.$mute.find(".topic").text(topic);
meta.$mute.find(".stream").html(stream); meta.$mute.find(".stream").text(stream);
animate.fadeIn(); animate.fadeIn();