Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-17 03:01:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: do not blindly escape a notification's bodyLong

Browse Source 
For 7+ years we were escaping this value, but it is in many cases already sanitized (as it may be a post content). For those cases when it is not, I now run it through parse.raw.

Instead of escaping, it now strips p, img, and a tags.
This commit is contained in:
Julian Lam
2021-02-09 11:14:53 -05:00
parent 0092df2c02
commit 783786cf8c
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/notifications.js
View File

@@ -75,7 +75,7 @@ Notifications.getMultiple = async function (nids) {
notification.datetimeISO = utils.toISOString(notification.datetime);
if (notification.bodyLong) {
notification.bodyLong = utils.escapeHTML(notification.bodyLong);
notification.bodyLong = utils.stripHTMLTags(notification.bodyLong, ['img', 'p', 'a']);
}
notification.user = usersData[index];