diff --git a/plugins/poll/assets/javascripts/poll_dialect.js b/plugins/poll/assets/javascripts/poll_dialect.js index d2e0b4c93c..cc2ed60b91 100644 --- a/plugins/poll/assets/javascripts/poll_dialect.js +++ b/plugins/poll/assets/javascripts/poll_dialect.js @@ -67,11 +67,18 @@ } } - // make sure the first child is a list with at least 1 option - if (contents.length === 0 || contents[0].length <= 1 || (contents[0][0] !== "numberlist" && contents[0][0] !== "bulletlist")) { + // make sure there's only 1 child and it's a list with at least 1 option + if (contents.length !== 1 || contents[0].length <= 1 || (contents[0][0] !== "numberlist" && contents[0][0] !== "bulletlist")) { return ["div"].concat(contents); } + // make sure there's only options in the list + for (o = 1; o < contents[0].length; o++) { + if (contents[0][o][0] !== "listitem") { + return ["div"].concat(contents); + } + } + // TODO: remove non whitelisted content // generate
  • styles (if any) @@ -86,9 +93,6 @@ // add option id (hash) + style for (o = 1; o < contents[0].length; o++) { - // break as soon as the list is done - if (contents[0][o][0] !== "listitem") { break; } - var attr = {}; // apply styles if any if (style.length > 0) { attr["style"] = style; } diff --git a/plugins/poll/spec/controllers/posts_controller_spec.rb b/plugins/poll/spec/controllers/posts_controller_spec.rb index ad373624ce..f0f128f3a3 100644 --- a/plugins/poll/spec/controllers/posts_controller_spec.rb +++ b/plugins/poll/spec/controllers/posts_controller_spec.rb @@ -65,6 +65,15 @@ describe PostsController do expect(json["polls"]).to be end + it "prevents pollception" do + xhr :post, :create, { title: title, raw: "[poll name=1]\n- A\n[poll name=2]\n- B\n- C\n[/poll]\n- D\n[/poll]" } + expect(response).to be_success + json = ::JSON.parse(response.body) + expect(json["cooked"]).to match("data-poll-") + expect(json["polls"]["1"]).to_not be + expect(json["polls"]["2"]).to be + end + describe "edit window" do describe "within the first 5 minutes" do