mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-28 01:56:01 -05:00
Fix sanitization of smileys like <_< and <3.
This commit is contained in:
parent
c930fe41b2
commit
fad88c6cf3
2 changed files with 3 additions and 0 deletions
|
@ -154,6 +154,7 @@ Discourse.Markdown = {
|
||||||
**/
|
**/
|
||||||
sanitize: function(text) {
|
sanitize: function(text) {
|
||||||
if (!window.html_sanitize) return "";
|
if (!window.html_sanitize) return "";
|
||||||
|
text = text.replace(/<([^A-Za-z\/]|$)/g, "<$1");
|
||||||
return window.html_sanitize(text, Discourse.Markdown.urlAllowed, Discourse.Markdown.nameIdClassAllowed);
|
return window.html_sanitize(text, Discourse.Markdown.urlAllowed, Discourse.Markdown.nameIdClassAllowed);
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -332,6 +332,8 @@ test("sanitize", function() {
|
||||||
equal(sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");
|
equal(sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");
|
||||||
equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
|
equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
|
||||||
equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
|
equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
|
||||||
|
equal(sanitize("<3 <3"), "<3 <3");
|
||||||
|
equal(sanitize("<_<"), "<_<");
|
||||||
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
|
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
|
||||||
|
|
||||||
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",
|
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",
|
||||||
|
|
Loading…
Reference in a new issue