From 746416207bd15f7883af18e359b84f0c4444a12a Mon Sep 17 00:00:00 2001 From: rinpatch Date: Thu, 30 Jan 2020 19:55:01 +0300 Subject: [PATCH 1/2] Escape HTML from display name and subject fields Closes #724 --- package.json | 1 + src/services/entity_normalizer/entity_normalizer.service.js | 6 ++++-- yarn.lock | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index 9ec8c1eb..5c7fa31e 100644 --- a/package.json +++ b/package.json @@ -21,6 +21,7 @@ "chromatism": "^3.0.0", "cropperjs": "^1.4.3", "diff": "^3.0.1", + "escape-html": "^1.0.3", "karma-mocha-reporter": "^2.2.1", "localforage": "^1.5.0", "object-path": "^0.11.3", diff --git a/src/services/entity_normalizer/entity_normalizer.service.js b/src/services/entity_normalizer/entity_normalizer.service.js index a3d0b782..3116d211 100644 --- a/src/services/entity_normalizer/entity_normalizer.service.js +++ b/src/services/entity_normalizer/entity_normalizer.service.js @@ -1,3 +1,5 @@ +import escape from 'escape-html' + const qvitterStatusType = (status) => { if (status.is_post_verb) { return 'status' @@ -41,7 +43,7 @@ export const parseUser = (data) => { } output.name = data.display_name - output.name_html = addEmojis(data.display_name, data.emojis) + output.name_html = addEmojis(escape(data.display_name), data.emojis) output.description = data.note output.description_html = addEmojis(data.note, data.emojis) @@ -256,7 +258,7 @@ export const parseStatus = (data) => { output.retweeted_status = parseStatus(data.reblog) } - output.summary_html = addEmojis(data.spoiler_text, data.emojis) + output.summary_html = addEmojis(escape(data.spoiler_text), data.emojis) output.external_url = data.url output.poll = data.poll output.pinned = data.pinned diff --git a/yarn.lock b/yarn.lock index 1a5d4cef..b794042f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2757,9 +2757,10 @@ es6-promisify@^5.0.0: dependencies: es6-promise "^4.0.3" -escape-html@~1.0.3: +escape-html@^1.0.3, escape-html@~1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/escape-html/-/escape-html-1.0.3.tgz#0258eae4d3d0c0974de1c169188ef0051d1d1988" + integrity sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg= escape-string-regexp@1.0.5, escape-string-regexp@^1.0.2, escape-string-regexp@^1.0.5: version "1.0.5" From 4a266a4d0547c0f68628001e8948dd171ef4554b Mon Sep 17 00:00:00 2001 From: Shpuld Shpludson Date: Fri, 31 Jan 2020 00:24:54 +0000 Subject: [PATCH 2/2] Fix one click nsfw unhide on videos --- CHANGELOG.md | 1 + src/components/attachment/attachment.js | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65973dbb..abefd958 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Single notifications left unread when hitting read on another device/tab - Registration fixed - Deactivation of remote accounts from frontend +- Fixed NSFW unhiding not working with videos when using one-click unhiding/displaying ## [1.1.7 and earlier] - 2019-12-14 ### Added diff --git a/src/components/attachment/attachment.js b/src/components/attachment/attachment.js index 06b496b0..b832e10f 100644 --- a/src/components/attachment/attachment.js +++ b/src/components/attachment/attachment.js @@ -2,6 +2,7 @@ import StillImage from '../still-image/still-image.vue' import VideoAttachment from '../video_attachment/video_attachment.vue' import nsfwImage from '../../assets/nsfw.png' import fileTypeService from '../../services/file_type/file_type.service.js' +import { mapGetters } from 'vuex' const Attachment = { props: [ @@ -49,7 +50,8 @@ const Attachment = { }, fullwidth () { return this.type === 'html' || this.type === 'audio' - } + }, + ...mapGetters(['mergedConfig']) }, methods: { linkClicked ({ target }) { @@ -58,7 +60,7 @@ const Attachment = { } }, openModal (event) { - const modalTypes = this.$store.getters.mergedConfig.playVideosInModal + const modalTypes = this.mergedConfig.playVideosInModal ? ['image', 'video'] : ['image'] if (fileTypeService.fileMatchesSomeType(modalTypes, this.attachment) || @@ -71,7 +73,10 @@ const Attachment = { } }, toggleHidden (event) { - if (this.$store.getters.mergedConfig.useOneClickNsfw && !this.showHidden) { + if ( + (this.mergedConfig.useOneClickNsfw && !this.showHidden) && + (this.type !== 'video' || this.mergedConfig.playVideosInModal) + ) { this.openModal(event) return }