IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Keep onebox styling in edit history

Browse Source
This commit is contained in:
Penar Musaraj 2020-06-15 15:23:14 -04:00
parent 18244ff44c
commit 298393a5bc
No known key found for this signature in database
GPG Key ID: E390435D881FF0F7
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/assets/javascripts/discourse/app/controllers/history.js
View File

@ -261,9 +261,10 @@ export default Controller.extend(ModalFunctionality, {
this.set("bodyDiff", html); this.set("bodyDiff", html);
} else { } else {
const opts = { const opts = {
features: { editHistory: true }, features: { editHistory: true, historyOneboxes: true },
whiteListed: { whiteListed: {
editHistory: { custom: (tag, attr) => attr === "class" } editHistory: { custom: (tag, attr) => attr === "class" },
historyOneboxes: ["header", "article", "div[style]"]
} }
}; };

28
test/javascripts/controllers/history-test.js
View File

@ -40,6 +40,17 @@ QUnit.test("displayEdit", async function(assert) {
const html = `<div class="revision-content"> const html = `<div class="revision-content">
<p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt="" class="diff-del"><img/src=x onerror=alert(document.domain)>" width="276" height="183"></p> <p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt="" class="diff-del"><img/src=x onerror=alert(document.domain)>" width="276" height="183"></p>
</div> </div>
<aside class="onebox whitelistedgeneric">
<header class="source">
<img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
<a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta 9 Aug 19</a>
</header>
<article class="onebox-body">
<img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
<h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
<div style="clear: both"></div>
</article>
</aside>
<table background="javascript:alert(\"HACKEDXSS\")"> <table background="javascript:alert(\"HACKEDXSS\")">
<thead> <thead>
<tr> <tr>
@ -58,6 +69,17 @@ QUnit.test("displayEdit", async function(assert) {
const expectedOutput = `<div class="revision-content"> const expectedOutput = `<div class="revision-content">
<p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt class="diff-del">" width="276" height="183"&gt;</p> <p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt class="diff-del">" width="276" height="183"&gt;</p>
</div> </div>
<aside class="onebox whitelistedgeneric">
<header class="source">
<img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
<a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta 9 Aug 19</a>
</header>
<article class="onebox-body">
<img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
<h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
<div style="clear: both"></div>
</article>
</aside>
<table> <table>
<thead> <thead>
<tr> <tr>
@ -85,5 +107,9 @@ QUnit.test("displayEdit", async function(assert) {
await HistoryController.bodyDiffChanged(); await HistoryController.bodyDiffChanged();
const output = HistoryController.get("bodyDiff"); const output = HistoryController.get("bodyDiff");
assert.equal(output, expectedOutput, "it keeps safe HTML"); assert.equal(
output,
expectedOutput,
"it keeps HTML safe and doesn't strip onebox tags"
);
}); });