FIX: Keep onebox styling in edit history

FIX: Keep onebox styling in edit history

diff --git a/app/assets/javascripts/discourse/app/controllers/history.js b/app/assets/javascripts/discourse/app/controllers/history.js
index b368a28..4ed3da9 100644
--- a/app/assets/javascripts/discourse/app/controllers/history.js
+++ b/app/assets/javascripts/discourse/app/controllers/history.js
@@ -261,9 +261,10 @@ export default Controller.extend(ModalFunctionality, {
       this.set("bodyDiff", html);
     } else {
       const opts = {
-        features: { editHistory: true },
+        features: { editHistory: true, historyOneboxes: true },
         whiteListed: {
-          editHistory: { custom: (tag, attr) => attr === "class" }
+          editHistory: { custom: (tag, attr) => attr === "class" },
+          historyOneboxes: ["header", "article", "div[style]"]
         }
       };
 
diff --git a/test/javascripts/controllers/history-test.js b/test/javascripts/controllers/history-test.js
index 6d8ccae..0d87882 100644
--- a/test/javascripts/controllers/history-test.js
+++ b/test/javascripts/controllers/history-test.js
@@ -40,6 +40,17 @@ QUnit.test("displayEdit", async function(assert) {
   const html = `<div class="revision-content">
   <p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt="" class="diff-del"><img/src=x onerror=alert(document.domain)>" width="276" height="183"></p>
 </div>
+<aside class="onebox whitelistedgeneric">
+  <header class="source">
+    <img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
+    <a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta – 9 Aug 19</a>
+  </header>
+  <article class="onebox-body">
+    <img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
+    <h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
+    <div style="clear: both"></div>
+  </article>
+</aside>
 <table background="javascript:alert(\"HACKEDXSS\")">
   <thead>
     <tr>
@@ -58,6 +69,17 @@ QUnit.test("displayEdit", async function(assert) {
   const expectedOutput = `<div class="revision-content">
   <p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt class="diff-del">" width="276" height="183"&gt;</p>
 </div>
+<aside class="onebox whitelistedgeneric">
+  <header class="source">
+    <img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
+    <a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta – 9 Aug 19</a>
+  </header>
+  <article class="onebox-body">
+    <img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
+    <h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
+    <div style="clear: both"></div>
+  </article>
+</aside>
 <table>
   <thead>
     <tr>
@@ -85,5 +107,9 @@ QUnit.test("displayEdit", async function(assert) {
   await HistoryController.bodyDiffChanged();
 
   const output = HistoryController.get("bodyDiff");
-  assert.equal(output, expectedOutput, "it keeps safe HTML");
+  assert.equal(
+    output,
+    expectedOutput,
+    "it keeps HTML safe and doesn't strip onebox tags"
+  );
 });

GitHub sha: 298393a5

1 Like