mirror of
https://github.com/discourse/discourse.git
synced 2025-02-21 19:55:43 +00:00
SECURITY: Sanitize d-popover attributes (#13958)
This commit is contained in:
Bianca Nenciu
GitHub
parent
bb2c48b065
commit
38199424bc
@ -16,8 +16,7 @@ const D_ARROW_HEIGHT = 10;
|
||||
|
||||
const D_HORIZONTAL_MARGIN = 5;
|
||||
|
||||
export const POPOVER_SELECTORS =
|
||||
"[data-html-popover], [data-html-tooltip], [data-popover], [data-tooltip]";
|
||||
export const POPOVER_SELECTORS = "[data-popover], [data-tooltip]";
|
||||
|
||||
export function hidePopover() {
|
||||
getPopover().fadeOut().remove();
|
||||
@ -55,11 +54,6 @@ export function showPopover(event, options = {}) {
|
||||
}
|
||||
|
||||
function setPopoverHtmlContent($enteredElement, content) {
|
||||
content =
|
||||
content ||
|
||||
$enteredElement.attr("data-html-popover") ||
|
||||
$enteredElement.attr("data-html-tooltip");
|
||||
|
||||
replaceHtmlContent($enteredElement, content);
|
||||
}
|
||||
|
||||
|
||||
@ -136,6 +136,11 @@ module("Unit | Utility | sanitizer", function () {
|
||||
);
|
||||
|
||||
cooked(`<div dir="rtl">RTL text</div>`, `<div dir="rtl">RTL text</div>`);
|
||||
|
||||
cooked(
|
||||
`<div data-value="<something>" data-html-value="<something>"></div>`,
|
||||
`<div data-value="<something>"></div>`
|
||||
);
|
||||
});
|
||||
|
||||
test("ids on headings", function (assert) {
|
||||
|
||||
@ -75,7 +75,9 @@ export function sanitize(text, allowLister) {
|
||||
if (
|
||||
(forAttr &&
|
||||
(forAttr.indexOf("*") !== -1 || forAttr.indexOf(value) !== -1)) ||
|
||||
(name.indexOf("data-") === 0 && forTag["data-*"]) ||
|
||||
(name.indexOf("data-html-") === -1 &&
|
||||
name.indexOf("data-") === 0 &&
|
||||
forTag["data-*"]) ||
|
||||
(tag === "a" &&
|
||||
name === "href" &&
|
||||
hrefAllowed(value, extraHrefMatchers)) ||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user