New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use angular to sanitize plugin description. #13714
Conversation
@@ -141,7 +141,7 @@ | |||
</div> | |||
<div class="plugin-desc-text"> | |||
|
|||
{{ plugin.info.description|raw|nl2br }} | |||
<div ng-bind-html="{{ plugin.info.description|raw|nl2br|json_encode|e('html_attr') }}"></div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems the only plugin that uses html is custom variables? I'd be tempted to simply not allow HTML in the plugin description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't have an opinion personally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll remove the HTML from custom variables and no longer allow HTML there.
@@ -150,7 +150,7 @@ | |||
'https://matomo.org', 'https://www.matomo.org', 'https://matomo.org/', 'https://www.matomo.org/' | |||
] %} | |||
<span class="plugin-homepage"> | |||
<a target="_blank" rel="noreferrer noopener" href="{{ plugin.info.homepage }}">({{ 'CorePluginsAdmin_PluginHomepage'|translate|replace({' ': ' '})|raw }})</a> | |||
<a target="_blank" rel="noreferrer noopener" href="{{ plugin.info.homepage|e('url') }}">({{ 'CorePluginsAdmin_PluginHomepage'|translate|replace({' ': ' '})|raw }})</a> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e('url')
cannot be used on a full link, but only on a component. It breaks the URL...
I'll replace it with html_attr
@diosmosis see last commit, I fixed the homepage URL link and no longer allow HTML in the description. |
No description provided.