From 9b29a23ecee5957974bc5504d0759984fae03043 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Tue, 28 Oct 2014 22:58:22 +0100 Subject: [PATCH] FIX: prevent iframe in expended quote --- app/assets/javascripts/discourse/views/post_view.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/views/post_view.js b/app/assets/javascripts/discourse/views/post_view.js index 087ebe3c9e0..0eb45c93d41 100644 --- a/app/assets/javascripts/discourse/views/post_view.js +++ b/app/assets/javascripts/discourse/views/post_view.js @@ -131,7 +131,9 @@ Discourse.PostView = Discourse.GroupedView.extend(Ember.Evented, { topicId = parseInt(topicId, 10); Discourse.ajax("/posts/by_number/" + topicId + "/" + postId).then(function (result) { - var parsed = $(result.cooked); + // slightly double escape the cooked html to prevent jQuery from unescaping it + var escaped = result.cooked.replace("&", "&"); + var parsed = $(escaped); parsed.replaceText(originalText, "" + originalText + ""); $blockQuote.showHtml(parsed, 'fast', finished); });