diff options
Diffstat (limited to 'client/components/main/editor.js')
| -rwxr-xr-x | client/components/main/editor.js | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/client/components/main/editor.js b/client/components/main/editor.js index da66bb74..da15407a 100755 --- a/client/components/main/editor.js +++ b/client/components/main/editor.js @@ -10,7 +10,7 @@ Template.editor.onRendered(() => { search(term, callback) { callback(Emoji.values.map((emoji) => { return emoji.includes(term) ? emoji : null; - })); + }).filter(Boolean)); }, template(value) { const imgSrc = Emoji.baseImagePath + value; @@ -31,7 +31,7 @@ Template.editor.onRendered(() => { callback(currentBoard.activeMembers().map((member) => { const username = Users.findOne(member.userId).username; return username.includes(term) ? username : null; - })); + }).filter(Boolean)); }, template(value) { return value; @@ -44,6 +44,8 @@ Template.editor.onRendered(() => { ]); }); +import sanitizeXss from 'xss'; + // XXX I believe we should compute a HTML rendered field on the server that // would handle markdown, emoji and user mentions. We can simply have two // fields, one source, and one compiled version (in HTML) and send only the @@ -86,19 +88,14 @@ Blaze.Template.registerHelper('mentions', new Template('mentions', function() { content = content.replace(fullMention, Blaze.toHTML(link)); } - return HTML.Raw(content); + return HTML.Raw(sanitizeXss(content)); })); Template.viewer.events({ - 'click .js-open-member'(evt, tpl) { - const userId = evt.currentTarget.dataset.userid; - Popup.open('member').call({ userId }, evt, tpl); - }, - // Viewer sometimes have click-able wrapper around them (for instance to edit // the corresponding text). Clicking a link shouldn't fire these actions, stop // we stop these event at the viewer component level. - 'click a'(evt) { + 'click a'(evt, tpl) { evt.stopPropagation(); // XXX We hijack the build-in browser action because we currently don't have @@ -106,9 +103,16 @@ Template.viewer.events({ // handled by a third party package that we can't configure easily. Fix that // by using directly `_blank` attribute in the rendered HTML. evt.preventDefault(); - const href = evt.currentTarget.href; - if (href) { - window.open(href, '_blank'); + + const userId = evt.currentTarget.dataset.userid; + if (userId) { + Popup.open('member').call({ userId }, evt, tpl); + } + else { + const href = evt.currentTarget.href; + if (href) { + window.open(href, '_blank'); + } } }, }); |