0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00

Mark html notifications as html-safe, else escape

no issue

- Use the double-tash escaping output for notification messages
- Mark known and trusted html notifications as html-safe

Credits: Abdel Adim Oisif
This commit is contained in:
Hannah Wolfe 2015-02-15 16:51:46 +00:00
parent a9389bf682
commit e75939c083
3 changed files with 9 additions and 6 deletions

View file

@ -197,7 +197,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
if (status === 'published') { if (status === 'published') {
message += '&nbsp;<a href="' + path + '">View ' + this.get('postOrPage') + '</a>'; message += '&nbsp;<a href="' + path + '">View ' + this.get('postOrPage') + '</a>';
} }
this.notifications.showSuccess(message, {delayed: delay}); this.notifications.showSuccess(message.htmlSafe(), {delayed: delay});
}, },
showErrorNotification: function (prevStatus, status, errors, delay) { showErrorNotification: function (prevStatus, status, errors, delay) {
@ -206,7 +206,7 @@ EditorControllerMixin = Ember.Mixin.create(MarkerManager, {
message += '<br />' + error; message += '<br />' + error;
this.notifications.showError(message, {delayed: delay}); this.notifications.showError(message.htmlSafe(), {delayed: delay});
}, },
shouldFocusTitle: Ember.computed.alias('model.isNew'), shouldFocusTitle: Ember.computed.alias('model.isNew'),

View file

@ -29,12 +29,15 @@ function formatErrors(errors, opts) {
// get the validator's error messages from the array. // get the validator's error messages from the array.
// normalize array members to map to strings. // normalize array members to map to strings.
message = errors.map(function (error) { message = errors.map(function (error) {
var errorMessage;
if (typeof error === 'string') { if (typeof error === 'string') {
return error; errorMessage = error;
} else {
errorMessage = error.message;
} }
return error.message; return Ember.Handlebars.Utils.escapeExpression(errorMessage);
}).join('<br />'); }).join('<br />').htmlSafe();
} else if (errors instanceof Error) { } else if (errors instanceof Error) {
message += errors.message || '.'; message += errors.message || '.';
} else if (typeof errors === 'object') { } else if (typeof errors === 'object') {

View file

@ -1,6 +1,6 @@
<section {{bind-attr class=":js-notification typeClass"}}> <section {{bind-attr class=":js-notification typeClass"}}>
<span class="notification-message"> <span class="notification-message">
{{{message.message}}} {{message.message}}
</span> </span>
<button class="close" {{action "closeNotification"}}><span class="hidden">Close</span></button> <button class="close" {{action "closeNotification"}}><span class="hidden">Close</span></button>
</section> </section>