From efc6408b1dc63a72e54f8a9b0afeba2e2ff0128f Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Thu, 28 Jul 2016 15:53:36 -0400 Subject: [PATCH] FIX: Regression with escaping on badge page --- .../discourse/components/badge-card.js.es6 | 7 +++---- .../javascripts/discourse/lib/text.js.es6 | 18 +++++++++++++----- test/javascripts/acceptance/badges-test.js.es6 | 2 +- .../javascripts/fixtures/badges_fixture.js.es6 | 2 +- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/app/assets/javascripts/discourse/components/badge-card.js.es6 b/app/assets/javascripts/discourse/components/badge-card.js.es6 index 2debc6544..b162e982c 100644 --- a/app/assets/javascripts/discourse/components/badge-card.js.es6 +++ b/app/assets/javascripts/discourse/components/badge-card.js.es6 @@ -1,7 +1,6 @@ import computed from 'ember-addons/ember-computed-decorators'; import DiscourseURL from 'discourse/lib/url'; -import { emojiUnescape } from 'discourse/lib/text'; -import { escapeExpression } from 'discourse/lib/utilities'; +import { sanitize, emojiUnescape } from 'discourse/lib/text'; export default Ember.Component.extend({ size: 'medium', @@ -40,10 +39,10 @@ export default Ember.Component.extend({ if (size === 'large') { const longDescription = this.get('badge.long_description'); if (!_.isEmpty(longDescription)) { - return emojiUnescape(escapeExpression(longDescription)); + return emojiUnescape(sanitize(longDescription)); } } - return escapeExpression(this.get('badge.description')); + return sanitize(this.get('badge.description')); } }); diff --git a/app/assets/javascripts/discourse/lib/text.js.es6 b/app/assets/javascripts/discourse/lib/text.js.es6 index 01c15add3..5a140b48c 100644 --- a/app/assets/javascripts/discourse/lib/text.js.es6 +++ b/app/assets/javascripts/discourse/lib/text.js.es6 @@ -1,17 +1,25 @@ import { default as PrettyText, buildOptions } from 'pretty-text/pretty-text'; import { performEmojiUnescape, buildEmojiUrl } from 'pretty-text/emoji'; +import WhiteLister from 'pretty-text/white-lister'; +import { sanitize as textSanitize } from 'pretty-text/sanitizer'; -// Use this to easily create a pretty text instance with proper options -export function cook(text) { +function getOpts() { const siteSettings = Discourse.__container__.lookup('site-settings:main'); - const opts = { + return buildOptions({ getURL: Discourse.getURLWithCDN, currentUser: Discourse.__container__.lookup('current-user:main'), siteSettings - }; + }); +} - return new Handlebars.SafeString(new PrettyText(buildOptions(opts)).cook(text)); +// Use this to easily create a pretty text instance with proper options +export function cook(text) { + return new Handlebars.SafeString(new PrettyText(getOpts()).cook(text)); +} + +export function sanitize(text) { + return textSanitize(text, new WhiteLister(getOpts().features)); } function emojiOptions() { diff --git a/test/javascripts/acceptance/badges-test.js.es6 b/test/javascripts/acceptance/badges-test.js.es6 index a38b9152b..8017739ca 100644 --- a/test/javascripts/acceptance/badges-test.js.es6 +++ b/test/javascripts/acceptance/badges-test.js.es6 @@ -12,6 +12,6 @@ test("Visit Badge Pages", () => { andThen(() => { ok(exists('.badge-card'), "has the badge in the listing"); ok(exists('.user-info'), "has the list of users with that badge"); - ok(!exists('.badge-card:eq(0) strike')); + ok(!exists('.badge-card:eq(0) script')); }); }); diff --git a/test/javascripts/fixtures/badges_fixture.js.es6 b/test/javascripts/fixtures/badges_fixture.js.es6 index 93ec74b86..6081a6b99 100644 --- a/test/javascripts/fixtures/badges_fixture.js.es6 +++ b/test/javascripts/fixtures/badges_fixture.js.es6 @@ -389,7 +389,7 @@ export default { "id": 9, "name": "Autobiographer", "description": null, - "long_description": "hello", + "long_description": "", "grant_count": 545, "allow_title": false, "multiple_grant": false,