From 3cc8354fe28a07f9fe683ea5f39af1666c704bbf Mon Sep 17 00:00:00 2001 From: Neil Lalonde Date: Mon, 19 Aug 2013 14:19:59 -0400 Subject: [PATCH] Don't trust topic title in template until it has been sanitized by the server --- .../javascripts/discourse/controllers/topic_controller.js | 6 +++++- .../javascripts/discourse/templates/topic.js.handlebars | 8 +++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/app/assets/javascripts/discourse/controllers/topic_controller.js b/app/assets/javascripts/discourse/controllers/topic_controller.js index b8479d6707..4db234f377 100644 --- a/app/assets/javascripts/discourse/controllers/topic_controller.js +++ b/app/assets/javascripts/discourse/controllers/topic_controller.js @@ -141,6 +141,9 @@ Discourse.TopicController = Discourse.ObjectController.extend(Discourse.Selected var topic = this.get('model'); + // Topic title hasn't been sanitized yet, so the template shouldn't trust it. + this.set('topicSaving', true); + // manually update the titles & category topic.setProperties({ title: this.get('newTitle'), @@ -157,9 +160,10 @@ Discourse.TopicController = Discourse.ObjectController.extend(Discourse.Selected title: title, fancy_title: fancy_title }); - + topicController.set('topicSaving', false); }, function(error) { topicController.set('editingTopic', true); + topicController.set('topicSaving', false); if (error && error.responseText) { bootbox.alert($.parseJSON(error.responseText).errors[0]); } else { diff --git a/app/assets/javascripts/discourse/templates/topic.js.handlebars b/app/assets/javascripts/discourse/templates/topic.js.handlebars index e66324b409..0554adf550 100644 --- a/app/assets/javascripts/discourse/templates/topic.js.handlebars +++ b/app/assets/javascripts/discourse/templates/topic.js.handlebars @@ -19,7 +19,13 @@

{{#if details.loaded}} {{topicStatus topic=model}} - {{{fancy_title}}} + + {{#if topicSaving}} + {{fancy_title}} + {{else}} + {{{fancy_title}}} + {{/if}} + {{/if}} {{boundCategoryLink category}}