SECURITY: Correctly escape 'text' email preview
This commit is contained in:
parent
76bdea5ce2
commit
0ed20fe1cd
|
@ -21,13 +21,15 @@
|
|||
{{#if this.showHtml}}
|
||||
<span>{{i18n "admin.email.html"}}</span>
|
||||
|
|
||||
<a href {{on "click" this.toggleShowHtml}}>
|
||||
<a href {{on "click" this.toggleShowHtml}} class="show-text-link">
|
||||
{{i18n "admin.email.text"}}
|
||||
</a>
|
||||
{{else}}
|
||||
<a href {{on "click" this.toggleShowHtml}}>{{i18n
|
||||
"admin.email.html"
|
||||
}}</a>
|
||||
<a
|
||||
href
|
||||
{{on "click" this.toggleShowHtml}}
|
||||
class="show-html-link"
|
||||
>{{i18n "admin.email.html"}}</a>
|
||||
|
|
||||
<span>{{i18n "admin.email.text"}}</span>
|
||||
{{/if}}
|
||||
|
@ -77,7 +79,7 @@
|
|||
></iframe>
|
||||
{{/if}}
|
||||
{{else}}
|
||||
<pre>{{html-safe this.model.text_content}}</pre>
|
||||
<pre>{{this.model.text_content}}</pre>
|
||||
{{/if}}
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
import { acceptance, query } from "discourse/tests/helpers/qunit-helpers";
|
||||
import { click, visit, waitUntil } from "@ember/test-helpers";
|
||||
import { test } from "qunit";
|
||||
|
||||
acceptance("Admin - email-preview", function (needs) {
|
||||
needs.user();
|
||||
needs.pretender((server, helper) => {
|
||||
server.get("/admin/email/preview-digest.json", () =>
|
||||
helper.response(200, {
|
||||
html_content: "<span>Hello world</span>",
|
||||
text_content: "<span>Not actually html</span>",
|
||||
})
|
||||
);
|
||||
});
|
||||
|
||||
test("preview rendering", async function (assert) {
|
||||
await visit("/admin/email/preview-digest");
|
||||
const iframe = query(".preview-output iframe");
|
||||
|
||||
// Rendered as a separate document, so Ember's built-in waiters don't work properly
|
||||
await waitUntil(() => iframe.contentWindow.document.body);
|
||||
|
||||
const iframeBody = iframe.contentWindow.document.body;
|
||||
|
||||
assert.strictEqual(
|
||||
iframeBody.querySelector("span").innerText,
|
||||
"Hello world",
|
||||
"html content is rendered inside iframe"
|
||||
);
|
||||
|
||||
await click("a.show-text-link");
|
||||
assert
|
||||
.dom(".preview-output pre")
|
||||
.hasText(
|
||||
"<span>Not actually html</span>",
|
||||
"text content is escaped correctly"
|
||||
);
|
||||
});
|
||||
});
|
Loading…
Reference in New Issue