xss, ckeditor js bug.

2014-05-20 15:37:05 +08:00 · 2014-05-20 15:37:05 +08:00 · 85c77ca074
parent dac992548a
commit 85c77ca074
1 changed files with 3 additions and 3 deletions
--- a/app/views/memos/show.html.erb
+++ b/app/views/memos/show.html.erb
@ -110,8 +110,7 @@
 					<%= link_to image_tag(url_to_avatar(reply.author), :class => "avatar"), user_path(reply.author) %>
 				</td>
 				<td class="comments">
-						<div class="reply_content" ><%=h reply.content.html_safe %></div>
-						<!-- <div class="wiki">< %=h reply.content.html_safe %></div> -->
+						<div class="reply_content" ><%=h sanitize(reply.content.html_safe) %></div>
 						<p>
 							<% if reply.attachments.any?%>
 							<% options = {:author => true, :deletable => reply.deleted_attach_able_by?(User.current) } %>
@ -144,6 +143,7 @@

 <script type="text/javascript">
 jQuery(document).ready(function($) {
-	transpotUrl('#main');
+	transpotUrl('.lz');
+	transpotUrl('.replies');
 });
 </script>