diff --git a/app/assets/javascripts/discourse/components/badge-card.js.es6 b/app/assets/javascripts/discourse/components/badge-card.js.es6
index 2debc6544..b162e982c 100644
--- a/app/assets/javascripts/discourse/components/badge-card.js.es6
+++ b/app/assets/javascripts/discourse/components/badge-card.js.es6
@@ -1,7 +1,6 @@
import computed from 'ember-addons/ember-computed-decorators';
import DiscourseURL from 'discourse/lib/url';
-import { emojiUnescape } from 'discourse/lib/text';
-import { escapeExpression } from 'discourse/lib/utilities';
+import { sanitize, emojiUnescape } from 'discourse/lib/text';
export default Ember.Component.extend({
size: 'medium',
@@ -40,10 +39,10 @@ export default Ember.Component.extend({
if (size === 'large') {
const longDescription = this.get('badge.long_description');
if (!_.isEmpty(longDescription)) {
- return emojiUnescape(escapeExpression(longDescription));
+ return emojiUnescape(sanitize(longDescription));
}
}
- return escapeExpression(this.get('badge.description'));
+ return sanitize(this.get('badge.description'));
}
});
diff --git a/app/assets/javascripts/discourse/lib/text.js.es6 b/app/assets/javascripts/discourse/lib/text.js.es6
index 01c15add3..5a140b48c 100644
--- a/app/assets/javascripts/discourse/lib/text.js.es6
+++ b/app/assets/javascripts/discourse/lib/text.js.es6
@@ -1,17 +1,25 @@
import { default as PrettyText, buildOptions } from 'pretty-text/pretty-text';
import { performEmojiUnescape, buildEmojiUrl } from 'pretty-text/emoji';
+import WhiteLister from 'pretty-text/white-lister';
+import { sanitize as textSanitize } from 'pretty-text/sanitizer';
-// Use this to easily create a pretty text instance with proper options
-export function cook(text) {
+function getOpts() {
const siteSettings = Discourse.__container__.lookup('site-settings:main');
- const opts = {
+ return buildOptions({
getURL: Discourse.getURLWithCDN,
currentUser: Discourse.__container__.lookup('current-user:main'),
siteSettings
- };
+ });
+}
- return new Handlebars.SafeString(new PrettyText(buildOptions(opts)).cook(text));
+// Use this to easily create a pretty text instance with proper options
+export function cook(text) {
+ return new Handlebars.SafeString(new PrettyText(getOpts()).cook(text));
+}
+
+export function sanitize(text) {
+ return textSanitize(text, new WhiteLister(getOpts().features));
}
function emojiOptions() {
diff --git a/test/javascripts/acceptance/badges-test.js.es6 b/test/javascripts/acceptance/badges-test.js.es6
index a38b9152b..8017739ca 100644
--- a/test/javascripts/acceptance/badges-test.js.es6
+++ b/test/javascripts/acceptance/badges-test.js.es6
@@ -12,6 +12,6 @@ test("Visit Badge Pages", () => {
andThen(() => {
ok(exists('.badge-card'), "has the badge in the listing");
ok(exists('.user-info'), "has the list of users with that badge");
- ok(!exists('.badge-card:eq(0) strike'));
+ ok(!exists('.badge-card:eq(0) script'));
});
});
diff --git a/test/javascripts/fixtures/badges_fixture.js.es6 b/test/javascripts/fixtures/badges_fixture.js.es6
index 93ec74b86..6081a6b99 100644
--- a/test/javascripts/fixtures/badges_fixture.js.es6
+++ b/test/javascripts/fixtures/badges_fixture.js.es6
@@ -389,7 +389,7 @@ export default {
"id": 9,
"name": "Autobiographer",
"description": null,
- "long_description": "hello",
+ "long_description": "",
"grant_count": 545,
"allow_title": false,
"multiple_grant": false,