Discource-C
/
DiscoTOC
mirror of https://github.com/discourse/DiscoTOC.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Render TOC items as plain text (#44)

This commit is contained in:
Jarek Radosz 2022-10-03 21:10:05 +02:00 committed by GitHub
parent d6b02afbc2
commit f80c215a28
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
about.json
View File

@ -3,6 +3,7 @@
"component": true,
"about_url": "https://meta.discourse.org/t/discotoc-automatic-table-of-contents/111143",
"license_url": "https://github.com/discourse/DiscoTOC/blob/main/LICENSE",
"theme_version": "2.1.0",
"assets": {
"icons-sprite": "/assets/sprite.svg"
}

6
javascripts/discourse/initializers/disco-toc-main.js
View File

@ -286,9 +286,9 @@ export default {
li.classList.add("d-toc-item");
li.classList.add(`d-toc-${clonedNode.tagName.toLowerCase()}`);
li.innerHTML = `<a href="#" data-d-toc="${clonedNode.getAttribute("id")}">${
clonedNode.textContent
}</a>`;
const id = clonedNode.getAttribute("id");
li.innerHTML = `<a href="#" data-d-toc="${id}"></a>`;
li.querySelector("a").innerText = clonedNode.textContent.trim();
clonedNode.remove();
return li;

2
package.json
View File

@ -1,6 +1,6 @@
{
"name": "DiscoTOC",
"version": "2.0.0",
"version": "2.1.0",
"repository": "https://github.com/discourse/DiscoTOC",
"author": "Discourse",
"license": "MIT",

28
test/acceptance/toc-test.js
View File

@ -122,3 +122,31 @@ acceptance("DiscoTOC - with categories", function (needs) {
assert.ok(exists(".d-toc-wrapper #d-toc"));
});
});
acceptance("DiscoTOC - non-text headings", function (needs) {
needs.pretender((server, helper) => {
const topicResponse = cloneJSON(topicFixtures["/t/280/1.json"]);
topicResponse.post_stream.posts[0].cooked = `
<h3 id="toc-h3-span" data-d-toc="toc-h3-span" class="d-toc-post-heading">
<a name="span-4" class="anchor" href="#span-4"></a>&lt;span style="color: red"&gt;what about this&lt;/span&gt;</h3>
</h3>
<p>test</p>
${TOC_MARKUP}
`;
server.get("/t/280.json", () => helper.response(topicResponse));
server.get("/t/280/:post_number.json", () =>
helper.response(topicResponse)
);
});
test("renders the TOC items as plain text", async function (assert) {
await visit("/t/internationalization-localization/280");
const item = query(`#d-toc [data-d-toc="toc-h3-span"]`);
assert.strictEqual(
item.innerHTML.trim(),
`&lt;span style="color: red"&gt;what about this&lt;/span&gt;`
);
});
});