codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-24 08:09:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix sanitization of smileys like <_< and <3.

Browse source
This commit is contained in:
Vikhyat Korrapati 2014-01-26 18:38:47 +05:30
parent c930fe41b2
commit fad88c6cf3
2 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/assets/javascripts/discourse/lib/markdown.js
View file

@ -154,6 +154,7 @@ Discourse.Markdown = {
**/ **/
sanitize: function(text) { sanitize: function(text) {
if (!window.html_sanitize) return ""; if (!window.html_sanitize) return "";
text = text.replace(/<([^A-Za-z\/]|$)/g, "&lt;$1");
return window.html_sanitize(text, Discourse.Markdown.urlAllowed, Discourse.Markdown.nameIdClassAllowed); return window.html_sanitize(text, Discourse.Markdown.urlAllowed, Discourse.Markdown.nameIdClassAllowed);
}, },

2
test/javascripts/lib/markdown_test.js
View file

@ -332,6 +332,8 @@ test("sanitize", function() {
equal(sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>"); equal(sanitize("<i class=\"fa-bug fa-spin\">bug</i>"), "<i>bug</i>");
equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>"); equal(sanitize("<div><script>alert('hi');</script></div>"), "<div></div>");
equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>"); equal(sanitize("<div><p class=\"funky\" wrong='1'>hello</p></div>"), "<div><p>hello</p></div>");
equal(sanitize("<3 <3"), "&lt;3 &lt;3");
equal(sanitize("<_<"), "&lt;_&lt;");
cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking"); cooked("hello<script>alert(42)</script>", "<p>hello</p>", "it sanitizes while cooking");
cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>", cooked("<a href='http://disneyland.disney.go.com/'>disney</a> <a href='http://reddit.com'>reddit</a>",