FIX: restrict classes allowed for img tag in Markdown

2017-10-16 09:34:30 +11:00 · 2017-10-16 09:34:30 +11:00 · 9cb088e3f6
parent 52b33b448d
commit 9cb088e3f6
3 changed files with 4 additions and 1 deletions
--- a/app/assets/javascripts/pretty-text/engines/discourse-markdown/emoji.js.es6
+++ b/app/assets/javascripts/pretty-text/engines/discourse-markdown/emoji.js.es6
@ -240,4 +240,6 @@ export function setup(helper) {
      state, (c,s)=>applyEmoji(c,s,md.options.discourse.emojiUnicodeReplacer))
    );
  });
+
+  helper.whiteList(['img[class=emoji]']);
 }
--- a/app/assets/javascripts/pretty-text/engines/discourse-markdown/quotes.js.es6
+++ b/app/assets/javascripts/pretty-text/engines/discourse-markdown/quotes.js.es6
@ -130,4 +130,6 @@ export function setup(helper) {
  helper.registerPlugin(md=>{
     md.block.bbcode.ruler.push('quotes', rule);
  });
+
+  helper.whiteList(['img[class=avatar]']);
 }
--- a/app/assets/javascripts/pretty-text/white-lister.js.es6
+++ b/app/assets/javascripts/pretty-text/white-lister.js.es6
@ -156,7 +156,6 @@ const DEFAULT_LIST = [
  'iframe[marginwidth]',
  'iframe[width]',
  'img[alt]',
-  'img[class]',
  'img[height]',
  'img[title]',
  'img[width]',