Skip to content

Commit

Permalink
FIX: prevent iframe in expended quote
Browse files Browse the repository at this point in the history
  • Loading branch information
@ZogStriP
ZogStriP committed Oct 28, 2014
1 parent e7b39be commit 9b29a23
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion app/assets/javascripts/discourse/views/post_view.js
View file
Expand Up @@ -131,7 +131,9 @@ Discourse.PostView = Discourse.GroupedView.extend(Ember.Evented, {
topicId = parseInt(topicId, 10);

Discourse.ajax("/posts/by_number/" + topicId + "/" + postId).then(function (result) {
var parsed = $(result.cooked);
// slightly double escape the cooked html to prevent jQuery from unescaping it
var escaped = result.cooked.replace("&", "&");
var parsed = $(escaped);
parsed.replaceText(originalText, "<span class='highlighted'>" + originalText + "</span>");

This comment has been minimized.

Sign in to view

Copy link
@SamSaffron

SamSaffron Oct 28, 2014

Member

Can we not just use .innerHTML here and bypass jQuery and the hack ?

This comment has been minimized.

Sign in to view

Copy link
@ZogStriP

ZogStriP Oct 28, 2014

Author Member

Nope. If we use innerHTML, we double escape, and then, when we use the .showHtml method, the inserted quote will display the html code of the cooked version of the post.
$blockQuote.showHtml(parsed, 'fast', finished);
});
Expand Down

0 comments on commit 9b29a23

Please sign in to comment.