mirror of
https://github.com/discourse/discourse.git
synced 2025-02-25 18:55:32 -06:00
2ae913f45e
`escape` from `pretty-text/sanitizer` is a re-export of the same
function defined in `discourse-common`. Updating the import paths
across the codebase to use the `discourse-common` import path.
`escape` is a rather simple function that can be accomplished with
a regular expression in `discourse-common`.
On the other hand, the remaining parts in `pretty-text/sanitizer`
has a lot of code, PLUS it depend on the rather heavy "xss" NPM
library.
Currently, most of the consumers of `pretty-text/sanitizer` are of
the `{ escape }` varient. This is resolved by this PR.
The remaining usages are either:
1. via/through `PrettyText` which is essentially gated behind
loading the markdown-it bundle, OR
2. via `sanitize` from `discourse/lib/text`
I believe we may ultimately be able to move all the usages to behind
the markdown-it bundle (or, equivilantly, set up another lazy bundle
for `sanitize`) and be able to shed the sanitization code and the
"xss" library from the initial page load.
`discourse/lib/text` also defines a `sanitizeAsync` which is gated
behind loading the markdown-it bundle.
Looking through the usages of `sanitize`, I believe most of these
can be safely switched to use `sanitizeAsync`, in that they are
already in an asynchrnous path that handles a server response. Most
of them are actually rendering a piece of server-generated HTML
message as flash message, so I am not sure there really is value in
sanitizing (we should be able to trust our own server?), but in any
case, code-wise, they should already be able to absorb the async
just fine.
I am not sure if `sanitize` and `sanitizeAsync` are actually API
compatible – they both take `options` but I think those `options` do
pretty different things. This is somethign for another person to
investigate down the road in another PR.
According to `all-the-plugins`, `discourse-graphviz` also import
from this location, so perhaps we should PR to update. That being
said, it doesn't really hurt anything to keep the alias around for
a while.
|
||
|---|---|---|
| .. | ||
| admin | ||
| bootstrap-json | ||
| confirm-new-email | ||
| deprecation-silencer | ||
| dialog-holder | ||
| discourse | ||
| discourse-common | ||
| discourse-hbr | ||
| discourse-plugins | ||
| discourse-widget-hbs | ||
| docs | ||
| ember-addons | ||
| ember-cli-progress-ci | ||
| ember-production-deprecations | ||
| float-kit | ||
| locales | ||
| patches | ||
| pretty-text | ||
| select-kit | ||
| theme-transpiler | ||
| truth-helpers | ||
| wizard | ||
| .licensee.json | ||
| .npmrc | ||
| handlebars-shim.js | ||
| package.json | ||
| polyfills.js | ||
| run-patch-package | ||
| service-worker.js.erb | ||
| yarn.lock | ||