github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 10:30:01 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Headings must begin with heading-- to avoid some griefing

Browse Source
This commit is contained in:
Robin Ward 2017-10-16 11:53:47 -04:00
parent 5f76e5062d
commit fb2e581b26
3 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/assets/javascripts/pretty-text/sanitizer.js.es6
View File

@ -98,6 +98,14 @@ export function sanitize(text, whiteLister) {
return "-STRIP-"; return "-STRIP-";
} }
// Heading ids must begin with `heading--`
if (
['h1', 'h2', 'h3', 'h4', 'h5', 'h6'].indexOf(tag) !== -1 &&
value.match(/^heading\-\-[a-zA-Z0-9\-\_]+$/)
) {
return attr(name, value);
}
const custom = whiteLister.getCustom(); const custom = whiteLister.getCustom();
for (let i=0; i<custom.length; i++) { for (let i=0; i<custom.length; i++) {
const fn = custom[i]; const fn = custom[i];

12
app/assets/javascripts/pretty-text/white-lister.js.es6
View File

@ -141,12 +141,12 @@ const DEFAULT_LIST = [
'dl', 'dl',
'dt', 'dt',
'em', 'em',
'h1[id]', 'h1',
'h2[id]', 'h2',
'h3[id]', 'h3',
'h4[id]', 'h4',
'h5[id]', 'h5',
'h6[id]', 'h6',
'hr', 'hr',
'i', 'i',
'iframe', 'iframe',

22
test/javascripts/lib/sanitizer-test.js.es6
View File

@ -65,12 +65,22 @@ QUnit.test("sanitize", assert => {
QUnit.test("ids on headings", assert => { QUnit.test("ids on headings", assert => {
const pt = new PrettyText(buildOptions({ siteSettings: {} })); const pt = new PrettyText(buildOptions({ siteSettings: {} }));
assert.equal(pt.sanitize("<h3>Test Heading</h3>"), "<h3>Test Heading</h3>"); assert.equal(pt.sanitize("<h3>Test Heading</h3>"), "<h3>Test Heading</h3>");
assert.equal(pt.sanitize(`<h1 id="test-heading">Test Heading</h1>`), `<h1 id="test-heading">Test Heading</h1>`); assert.equal(pt.sanitize(`<h1 id="heading--test">Test Heading</h1>`), `<h1 id="heading--test">Test Heading</h1>`);
assert.equal(pt.sanitize(`<h2 id="test-heading">Test Heading</h2>`), `<h2 id="test-heading">Test Heading</h2>`); assert.equal(pt.sanitize(`<h2 id="heading--cool">Test Heading</h2>`), `<h2 id="heading--cool">Test Heading</h2>`);
assert.equal(pt.sanitize(`<h3 id="test-heading">Test Heading</h3>`), `<h3 id="test-heading">Test Heading</h3>`); assert.equal(pt.sanitize(`<h3 id="heading--dashed-name">Test Heading</h3>`), `<h3 id="heading--dashed-name">Test Heading</h3>`);
assert.equal(pt.sanitize(`<h4 id="test-heading">Test Heading</h4>`), `<h4 id="test-heading">Test Heading</h4>`); assert.equal(pt.sanitize(`<h4 id="heading--underscored_name">Test Heading</h4>`), `<h4 id="heading--underscored_name">Test Heading</h4>`);
assert.equal(pt.sanitize(`<h5 id="test-heading">Test Heading</h5>`), `<h5 id="test-heading">Test Heading</h5>`); assert.equal(pt.sanitize(`<h5 id="heading--trout">Test Heading</h5>`), `<h5 id="heading--trout">Test Heading</h5>`);
assert.equal(pt.sanitize(`<h6 id="test-heading">Test Heading</h6>`), `<h6 id="test-heading">Test Heading</h6>`); assert.equal(pt.sanitize(`<h6 id="heading--discourse">Test Heading</h6>`), `<h6 id="heading--discourse">Test Heading</h6>`);
});
QUnit.test("poorly formed ids on headings", assert => {
let pt = new PrettyText(buildOptions({ siteSettings: {} }));
assert.equal(pt.sanitize(`<h1 id="evil-trout">Test Heading</h1>`), `<h1>Test Heading</h1>`);
assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
assert.equal(pt.sanitize(`<h1 id="heading--with space">Test Heading</h1>`), `<h1>Test Heading</h1>`);
assert.equal(pt.sanitize(`<h1 id="heading--with*char">Test Heading</h1>`), `<h1>Test Heading</h1>`);
assert.equal(pt.sanitize(`<h1 id="heading--">Test Heading</h1>`), `<h1>Test Heading</h1>`);
assert.equal(pt.sanitize(`<h1 id="test-heading--cool">Test Heading</h1>`), `<h1>Test Heading</h1>`);
}); });
QUnit.test("urlAllowed", assert => { QUnit.test("urlAllowed", assert => {