I’d like to customize the reply/embedded-post. This requires a modification to the _computeCooked method in post-cooked via a plugin; essentially when this.attrs.embeddedPost is true, render something else.
I noticed it’s easier to override or reopen ‘conventional’ Ember classes or the widgets created using ‘createWidget’. What would be the best way to achieve this for the PostCooked class?
with custom content depending on the category. But it makes sense. this should also be possible with decorateCooked. after reading a bit it seems like decorateCookedElement might be the right one, as I dont want to use jquery. Thaaanks
After messing around for one day I came across this answer.
seems like this was a wasted effort and I need to go a different route.
when I am setting elem.innerHTML to <script>alert(1)</script> it becomes unescaped. (i see while I type this in the composer, that it will be removed in the preview if I type it unescaped.) is this a problem or will CSP stop it? Mitigate XSS Attacks with Content Security Policy
posts including script tags as part of an explanation also seem to create these CSP errors. I am really confused now. Do I need to worry about stored xss at all, or will CSP just block it? in the composer i use ckeditor which prevents from selfxss. If I need to worry about it, it seems like I need to prune unsafe tags. I just do
value = Loofah.fragment(value).scrub!(:escape).to_s
at the moment, but it seems to have no effect at all because setting elem.innerHTML to this value will just unescape the html entities.
EDIT: I finally found the source of my confusion: inspect element will not show you the real html. it will convert html entities already.