Headline
CVE-2023-26040: SECURITY: XSS on chat excerpts · discourse/discourse@a373bf2
Discourse is an open-source discussion platform. Between versions 3.1.0.beta2 and 3.1.0.beta3 of the tests-passed branch, editing or responding to a chat message containing malicious content could lead to a cross-site scripting attack. This issue is patched in version 3.1.0.beta3 of the tests-passed branch. There are no known workarounds.
@@ -0,0 +1,29 @@ import { module, test } from "qunit"; import { setupRenderingTest } from "discourse/tests/helpers/component-test"; import { render } from "@ember/test-helpers"; import { hbs } from "ember-cli-htmlbars";
module("Integration | Helper | replace-emoji", function (hooks) { setupRenderingTest(hooks);
test("it replaces the emoji", async function (assert) { await render(hbs`<span>{{replace-emoji “some text :heart:"}}</span>`);
assert.dom(`span`).includesText(“some text”); assert.dom(`.emoji[title="heart”]`).exists(); });
test("it escapes the text", async function (assert) { await render( hbs`<span>{{replace-emoji "<style>body: {background: red;}</style>"}}</span>` );
assert.dom(`span`).hasText(“<style>body: {background: red;}</style>”); });
test("it renders html-safe text", async function (assert) { await render(hbs`<span>{{replace-emoji (html-safe “safe text”)}}</span>`);
assert.dom(`span`).hasText(“safe text”); }); });