diff --git a/app/assets/javascripts/discourse/helpers/application_helpers.js b/app/assets/javascripts/discourse/helpers/application_helpers.js
index aaa2cada8e9..328472f5ffe 100644
--- a/app/assets/javascripts/discourse/helpers/application_helpers.js
+++ b/app/assets/javascripts/discourse/helpers/application_helpers.js
@@ -61,7 +61,7 @@ Handlebars.registerHelper('shorten', function(property, options) {
**/
Handlebars.registerHelper('topicLink', function(property, options) {
var topic = Ember.Handlebars.get(this, property, options),
- title = topic.get('fancy_title') || topic.get('title');
+ title = topic.get('fancy_title');
return "" + title + "";
});
diff --git a/app/models/topic.rb b/app/models/topic.rb
index b7643d28b7d..92951e1e543 100644
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@@ -65,7 +65,6 @@ class Topic < ActiveRecord::Base
before_validation do
- self.sanitize_title
self.title = TextCleaner.clean_title(TextSentinel.title_sentinel(title).text) if errors[:title].empty?
end
@@ -242,17 +241,21 @@ class Topic < ActiveRecord::Base
end
def fancy_title
- return title unless SiteSetting.title_fancy_entities?
+ sanitized_title = title.gsub(/['&\"<>]/, {
+ "'" => ''',
+ '&' => '&',
+ '"' => '"',
+ '<' => '<',
+ '>' => '>',
+ })
+
+ return sanitized_title unless SiteSetting.title_fancy_entities?
# We don't always have to require this, if fancy is disabled
# see: http://meta.discourse.org/t/pattern-for-defer-loading-gems-and-profiling-with-perftools-rb/4629
require 'redcarpet' unless defined? Redcarpet
- Redcarpet::Render::SmartyPants.render(title)
- end
-
- def sanitize_title
- self.title = sanitize(title.to_s, tags: [], attributes: []).strip.presence
+ Redcarpet::Render::SmartyPants.render(sanitized_title)
end
def new_version_required?
diff --git a/spec/models/topic_spec.rb b/spec/models/topic_spec.rb
index d9addc1a563..fd332debcdf 100644
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@@ -121,15 +121,15 @@ describe Topic do
let(:topic_script) { build_topic_with_title("Topic with script in its title" ) }
it "escapes script contents" do
- topic_script.title.should == "Topic with script in its title"
+ topic_script.fancy_title.should == "Topic with <script>alert(‘title’)</script> script in its title"
end
it "escapes bold contents" do
- topic_bold.title.should == "Topic with bold text in its title"
+ topic_bold.fancy_title.should == "Topic with <b>bold</b> text in its title"
end
it "escapes image contents" do
- topic_image.title.should == "Topic with image in its title"
+ topic_image.fancy_title.should == "Topic with <img src=‘something’> image in its title"
end
end
@@ -142,8 +142,8 @@ describe Topic do
SiteSetting.stubs(:title_fancy_entities).returns(false)
end
- it "doesn't change the title to add entities" do
- topic.fancy_title.should == topic.title
+ it "doesn't add entities to the title" do
+ topic.fancy_title.should == ""this topic" -- has ``fancy stuff''"
end
end