Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-05-07 05:16:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: do not blindly escape a notification's bodyLong

Browse Source 
For 7+ years we were escaping this value, but it is in many cases already sanitized (as it may be a post content). For those cases when it is not, I now run it through parse.raw.

Instead of escaping, it now strips p, img, and a tags.
This commit is contained in:
Julian Lam
2021-02-09 11:14:53 -05:00
parent 0092df2c02
commit 783786cf8c
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/flags.js
View File

@@ -720,7 +720,7 @@ Flags.notify = async function (flagObj, uid) {
notifObj = await notifications.create({
type: 'new-post-flag',
bodyShort: `[[notifications:user_flagged_post_in, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${titleEscaped}]]`,
bodyLong: flagObj.description,
bodyLong: await plugins.hooks.fire('filter:parse.raw', flagObj.description),
pid: flagObj.targetId,
path: `/flags/${flagObj.flagId}`,
nid: `flag:post:${flagObj.targetId}`,
@@ -733,7 +733,7 @@ Flags.notify = async function (flagObj, uid) {
notifObj = await notifications.create({
type: 'new-user-flag',
bodyShort: `[[notifications:user_flagged_user, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${flagObj.target.username}]]`,
bodyLong: flagObj.description,
bodyLong: await plugins.hooks.fire('filter:parse.raw', flagObj.description),
path: `/flags/${flagObj.flagId}`,
nid: `flag:user:${flagObj.targetId}`,
from: uid,