SECURITY: Correctly escape 'text' email preview

This commit is contained in:
David Taylor 2023-09-27 11:58:18 +01:00 committed by Penar Musaraj
parent 76bdea5ce2
commit 0ed20fe1cd
No known key found for this signature in database
GPG Key ID: E390435D881FF0F7
2 changed files with 46 additions and 5 deletions

View File

@ -21,13 +21,15 @@
{{#if this.showHtml}}
<span>{{i18n "admin.email.html"}}</span>
|
<a href {{on "click" this.toggleShowHtml}}>
<a href {{on "click" this.toggleShowHtml}} class="show-text-link">
{{i18n "admin.email.text"}}
</a>
{{else}}
<a href {{on "click" this.toggleShowHtml}}>{{i18n
"admin.email.html"
}}</a>
<a
href
{{on "click" this.toggleShowHtml}}
class="show-html-link"
>{{i18n "admin.email.html"}}</a>
|
<span>{{i18n "admin.email.text"}}</span>
{{/if}}
@ -77,7 +79,7 @@
></iframe>
{{/if}}
{{else}}
<pre>{{html-safe this.model.text_content}}</pre>
<pre>{{this.model.text_content}}</pre>
{{/if}}
</div>
</div>

View File

@ -0,0 +1,39 @@
import { acceptance, query } from "discourse/tests/helpers/qunit-helpers";
import { click, visit, waitUntil } from "@ember/test-helpers";
import { test } from "qunit";
acceptance("Admin - email-preview", function (needs) {
needs.user();
needs.pretender((server, helper) => {
server.get("/admin/email/preview-digest.json", () =>
helper.response(200, {
html_content: "<span>Hello world</span>",
text_content: "<span>Not actually html</span>",
})
);
});
test("preview rendering", async function (assert) {
await visit("/admin/email/preview-digest");
const iframe = query(".preview-output iframe");
// Rendered as a separate document, so Ember's built-in waiters don't work properly
await waitUntil(() => iframe.contentWindow.document.body);
const iframeBody = iframe.contentWindow.document.body;
assert.strictEqual(
iframeBody.querySelector("span").innerText,
"Hello world",
"html content is rendered inside iframe"
);
await click("a.show-text-link");
assert
.dom(".preview-output pre")
.hasText(
"<span>Not actually html</span>",
"text content is escaped correctly"
);
});
});