DEV: use HTML5 version of loofah (#21522)

https://meta.discourse.org/t/markdown-preview-and-result-differ/263878 The result of this markdown had different results in the composer preview and the post. This is solved by updating Loofah to the latest version and using html5 fragments like our user had reported. While the change was only needed in cooked_post_processor.rb for this fix, other areas also had to be updated due to various side effects.
2025-05-24 14:12:10 +08:00 · 2023-06-20 11:49:22 +10:00
parent a999deaab9
commit 9e241e82e9
15 changed files with 123 additions and 115 deletions
--- a/plugins/poll/spec/controllers/posts_controller_spec.rb
+++ b/plugins/poll/spec/controllers/posts_controller_spec.rb
@ -129,8 +129,7 @@ RSpec.describe PostsController do

      expect(response.status).to eq(200)
      json = response.parsed_body
-      expect(json["cooked"]).to match("data-poll-")
-      expect(json["cooked"]).to include("&lt;script&gt;")
+      expect(json["cooked"]).to include("data-poll-name=\"<script>alert('xss')</script>\"")
      expect(Poll.find_by(post_id: json["id"]).name).to eq(
        "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;",
      )