4ae26bcaac
It is now safe to render the message excerpt as HTML since it is no longer using text_entities: true in the server PrettyText.excerpt call when creating the message excerpt from the cooked HTML. This will fix the issue of things like mentions showing HTML code instead of the actual mention when replying, and cannot be used to inject improper HTML like style tags via XSS. |
||
---|---|---|
.. | ||
chat | ||
discourse-details | ||
discourse-lazy-videos | ||
discourse-local-dates | ||
discourse-narrative-bot | ||
discourse-presence | ||
poll | ||
styleguide |