discourse/app
Roman Rizzi 5ee31cbf7d
FIX: Mark invites flash messages as HTML safe. (#15539)
* FIX: Mark invites flash messages as HTML safe.
This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client.

Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220

* If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend.

* Escape user input instead of sanitizing
2022-01-18 09:38:31 -03:00
..
assets FIX: Mark invites flash messages as HTML safe. (#15539) 2022-01-18 09:38:31 -03:00
controllers FIX: Mark invites flash messages as HTML safe. (#15539) 2022-01-18 09:38:31 -03:00
helpers DEV: Support for running theme test with Ember CLI (third attempt) 2022-01-13 16:02:07 -05:00
jobs DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
mailers DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
models FIX: Mark invites flash messages as HTML safe. (#15539) 2022-01-18 09:38:31 -03:00
serializers UX: change text of public_topic action code in login required sites. (#14764) 2022-01-11 11:35:16 +05:30
services DEV: Avoid $ globals (#15453) 2022-01-08 23:39:46 +01:00
views DEV: Support for running theme test with Ember CLI (third attempt) 2022-01-13 16:02:07 -05:00