typeahead: Confirm that header text is safe html.

All current definitions of header(), which is renamed to header_text() in this commit: composebox_typeahead.js - `get_header_html` uses `_.escape` - `render_topic_typeahead_hint` — is a handlebars function - third typeahead doesn’t have a header function custom_profile_fields.js, pill_typeahead.js, search.js, and settings_playground.js have typeaheads, but none of them have header functions.
2024-03-10 11:47:45 -07:00 · 2024-03-10 11:47:45 -07:00 · 7219e3835d
parent 135395e8ce
commit 7219e3835d
2 changed files with 8 additions and 8 deletions
--- a/web/src/composebox_typeahead.js
+++ b/web/src/composebox_typeahead.js
@ -1153,7 +1153,7 @@ export function initialize_compose_typeahead(selector) {
        completions,
        automated: compose_automated_selection,
        trigger_selection: compose_trigger_selection,
-        header: get_header_html,
+        header_html: get_header_html,
    });
 }

@ -1186,7 +1186,7 @@ export function initialize({on_enter_send}) {
            }
            return false;
        },
-        header: render_topic_typeahead_hint,
+        header_html: render_topic_typeahead_hint,
    });

    $("#private_message_recipient").typeahead({
--- a/web/third/bootstrap-typeahead/typeahead.js
+++ b/web/third/bootstrap-typeahead/typeahead.js
@ -44,10 +44,10 @@
 * 3. Header text:
 *
 *   This adds support for showing a custom header text like: "You are now
- *   completing a user mention". Provide the function `this.header` that
+ *   completing a user mention". Provide the function `this.header_html` that
 *   returns a string containing the header text, or false.
 *
- *   Our custom changes include all mentions of this.header, some CSS changes
+ *   Our custom changes include all mentions of this.header_html, some CSS changes
 *   in compose.css and splitting $container out of $menu so we can insert
 *   additional HTML before $menu.
 *
@ -172,7 +172,7 @@ const Typeahead = function (element, options) {
    this.on_move = this.options.on_move;
    this.on_escape = this.options.on_escape;
    // return a string to show in typeahead header or false.
-    this.header = this.options.header ?? (() => false);
+    this.header_html = this.options.header_html ?? (() => false);
    // return a string to show in typeahead items or false.
    this.option_label = this.options.option_label ?? (() => false);

@ -225,9 +225,9 @@ Typeahead.prototype = {
    },

    show() {
-        const header_text = this.header();
-        if (header_text) {
-            this.$header.find("span#typeahead-header-text").html(header_text);
+        const header_text_html = this.header_html();
+        if (header_text_html) {
+            this.$header.find("span#typeahead-header-text").html(header_text_html);
            this.$header.show();
        } else {
            this.$header.hide();