Fixing MM-36062 another detail
This commit is contained in:
parent
edc3eb7e8f
commit
d7442739b5
2 changed files with 2 additions and 2 deletions
|
@ -29,7 +29,7 @@ describe('utils', () => {
|
|||
test('should not allow XSS on links href on the desktop app', () => {
|
||||
const windowAsAny = window as any
|
||||
windowAsAny.openInNewBrowser = () => null
|
||||
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser("%22xss-attack=%22true%22other=%22whatever");"></a></p>'
|
||||
const expectedHtml = '<p><a target="_blank" rel="noreferrer" href="%22xss-attack=%22true%22other=%22whatever" title="" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);"></a></p>'
|
||||
expect(Utils.htmlFromMarkdown('[]("xss-attack="true"other="whatever)')).toBe(expectedHtml)
|
||||
windowAsAny.openInNewBrowser = null
|
||||
})
|
||||
|
|
|
@ -113,7 +113,7 @@ class Utils {
|
|||
// HACKHACK: Somehow, marked doesn't encode angle brackets
|
||||
const renderer = new marked.Renderer()
|
||||
if ((window as any).openInNewBrowser) {
|
||||
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser("${encodeURI(href || '')}");">${contents}</a>`
|
||||
renderer.link = (href, title, contents) => `<a target="_blank" rel="noreferrer" href="${encodeURI(href || '')}" title="${title ? encodeURI(title) : ''}" onclick="event.stopPropagation(); openInNewBrowser && openInNewBrowser(event.target.href);">${contents}</a>`
|
||||
}
|
||||
const html = marked(text.replace(/</g, '<'), {renderer, breaks: true})
|
||||
return html.trim()
|
||||
|
|
Loading…
Reference in a new issue