948634fe31
Previously, the replacement system would modify raw HTML, which is prone to issues and vulnerabilities. With this commit, we iterate over text nodes only, and do simple string replacements on their content. That means that the user input never gets passed into an HTML parser, and there is no chance of injection attacks.
The re-rendering system is also simplified to store the original value for re-use later, instead of mapping position/length of replacements.
This does mean the behavior is changed slightly. Replacements will no longer be applied to html attributes (e.g `a[href]`). If this affects your use-case, please let us know [on Meta](https://meta.discourse.org/t/113533).
This is a followup to the fix in
|
||
|---|---|---|
| .github/workflows | ||
| common | ||
| javascripts/discourse | ||
| locales | ||
| mobile | ||
| test/acceptance | ||
| .discourse-compatibility | ||
| .eslintrc.cjs | ||
| .gitignore | ||
| .prettierrc.cjs | ||
| .template-lintrc.cjs | ||
| LICENSE | ||
| README.md | ||
| about.json | ||
| package.json | ||
| translator.yml | ||
| yarn.lock | ||
README.md
discourse-placeholder-theme-component
https://meta.discourse.org/t/discourse-placeholder-theme-component/113533
Usage
[wrap=placeholder key=NAME][/wrap]
[wrap=placeholder key=COUNTRY default=FR][/wrap]
[wrap=placeholder key=SECRET description="Used to open the bank"][/wrap]
I'm =NAME=, I come from =COUNTRY= let me tell you my secret: =SECRET==
Feedback
If you have issues or suggestions for the theme component, please bring them up on Discourse Meta.