How to override a method in post-cooked.js.es6 in a plugin?

Dev
1

Hi,

I’d like to customize the reply/embedded-post. This requires a modification to the _computeCooked method in post-cooked via a plugin; essentially when this.attrs.embeddedPost is true, render something else.

I noticed it’s easier to override or reopen ‘conventional’ Ember classes or the widgets created using ‘createWidget’. What would be the best way to achieve this for the PostCooked class?

2 Likes
2

did you manage to find a solution to this? I would be very glad if you could share it.

3

does api.decorateCooked not suffice?

1 Like
4

I am not sure. I didnt look into it yet. I want to replace
https://github.com/discourse/discourse/blob/eab560fe2aa9053f6d227d29ec6c1ad0939ea940/app/assets/javascripts/discourse/app/widgets/post-cooked.js#L303
_computedCooked by category.
I want to replace

 cookedDiv.innerHTML = this.attrs.cooked;

with custom content depending on the category. But it makes sense. this should also be possible with decorateCooked. after reading a bit it seems like decorateCookedElement might be the right one, as I dont want to use jquery. Thaaanks :smiley:

1 Like
5

After messing around for one day I came across this answer.

seems like this was a wasted effort and I need to go a different route.
when I am setting elem.innerHTML to <script>alert(1)</script> it becomes unescaped. (i see while I type this in the composer, that it will be removed in the preview if I type it unescaped.) is this a problem or will CSP stop it?
https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243!csp error|690x191
posts including script tags as part of an explanation also seem to create these CSP errors. I am really confused now. Do I need to worry about stored xss at all, or will CSP just block it? in the composer i use ckeditor which prevents from selfxss. If I need to worry about it, it seems like I need to prune unsafe tags. I just do

  value = Loofah.fragment(value).scrub!(:escape).to_s

at the moment, but it seems to have no effect at all because setting elem.innerHTML to this value will just unescape the html entities.
EDIT: I finally found the source of my confusion: inspect element will not show you the real html. it will convert html entities already.

confusion
confusion1279×374 43.3 KB

if you click on editashtml in the inspector, it becomes clear that everything is actually fine. seeing otherwise invisible tags being rendered should have already pointed me in this direction.