Headline
CVE-2023-22455: SECURITY: escape quotes in tag description when rendering (#19730) · discourse/discourse@6923298
Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 3.0.0.beta16 on the beta and tests-passed branches, tag descriptions, which can be updated by moderators, can be used for cross-site scripting attacks. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. Versions 2.8.14 and 3.0.0.beta16 contain a patch.
@@ -2,6 +2,7 @@ import User from "discourse/models/user";
import { escapeExpression } from "discourse/lib/utilities";
import getURL from "discourse-common/lib/get-url";
import { helperContext } from "discourse-common/lib/helpers";
import { escape } from "pretty-text/sanitizer";
let _renderer = defaultRenderTag;
@@ -44,7 +45,7 @@ export function defaultRenderTag(tag, params) {
href +
" data-tag-name=" +
tag +
(params.description ? ' title="’ + params.description + '" ' : “”) +
(params.description ? ' title="’ + escape(params.description) + '" ' : “”) +
" class=’" +
classes.join(" ") +
“’>” +