🐛Fixed XSS vulnerability involving post excerpts (#17190)

closes https://github.com/TryGhost/Ghost/issues/17058

- Uses the lodash `escape` function.
- Avoids XSS vulnerabilities in post excerpts.
This commit is contained in:
Joel DeSante 2023-12-13 21:23:48 +00:00 committed by GitHub
parent b2a429437e
commit dc7e2b9261
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -22,6 +22,8 @@ module.exports = function excerpt(options) {
} else { } else {
excerptText = ''; excerptText = '';
} }
excerptText = _.escape(excerptText);
truncateOptions = _.reduce(truncateOptions, (_truncateOptions, value, key) => { truncateOptions = _.reduce(truncateOptions, (_truncateOptions, value, key) => {
if (['words', 'characters'].includes(key)) { if (['words', 'characters'].includes(key)) {