From dc7e2b9261555f4a1a160ea4369e9d9578194358 Mon Sep 17 00:00:00 2001 From: Joel DeSante Date: Wed, 13 Dec 2023 21:23:48 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9BFixed=20XSS=20vulnerability=20invol?= =?UTF-8?q?ving=20post=20excerpts=20(#17190)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes https://github.com/TryGhost/Ghost/issues/17058 - Uses the lodash `escape` function. - Avoids XSS vulnerabilities in post excerpts. --- ghost/core/core/frontend/helpers/excerpt.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ghost/core/core/frontend/helpers/excerpt.js b/ghost/core/core/frontend/helpers/excerpt.js index f0f73aae23..6b574a4865 100644 --- a/ghost/core/core/frontend/helpers/excerpt.js +++ b/ghost/core/core/frontend/helpers/excerpt.js @@ -22,6 +22,8 @@ module.exports = function excerpt(options) { } else { excerptText = ''; } + + excerptText = _.escape(excerptText); truncateOptions = _.reduce(truncateOptions, (_truncateOptions, value, key) => { if (['words', 'characters'].includes(key)) {