slapos_jio: fixup! Render text/html as html on domsugar

master/bt5/slapos_jio/PathTemplateItem/web_page_module/rjs_gadget_slapos_event_discussion_entry_js.js

@@ -11,19 +11,19 @@
     })
     .onStateChange(function () {
       var gadget = this,
-        header_text = "By " + gadget.state.author +
-           " on " + gadget.state.modification_date + ":",
+        header_text = "By <strong>" + gadget.state.author +
+           "</strong> on " + gadget.state.modification_date + ":",
         header = domsugar("div", {
           class: "slapos-event-discussion-message-header"
         }, [
-          domsugar('p', {text: header_text})
+          domsugar('p', {html: header_text})
         ]);
       if (gadget.state.content_type === 'text/html') {
         return domsugar(gadget.element, {}, [
           header,
           domsugar('div', {
             class: "slapos-event-discussion-message-body",
-            text: gadget.state.text_content
+            html: gadget.state.text_content
           })
         ]);
       }

master/bt5/slapos_jio/PathTemplateItem/web_page_module/rjs_gadget_slapos_event_discussion_entry_js.xml

@@ -236,7 +236,7 @@
                   </item>
                   <item>
                       <key> <string>serial</string> </key>
-                      <value> <string>1000.58263.12906.59494</string> </value>
+                      <value> <string>1001.26171.19762.42854</string> </value>
                   </item>
                   <item>
                       <key> <string>state</string> </key>
@@ -254,7 +254,7 @@
                           </tuple>
                           <state>
                             <tuple>
-                              <float>1655128468.51</float>
+                              <float>1659986314.17</float>
                               <string>UTC</string>
                             </tuple>
                           </state>

[Romain Courteaud]

@rafael beware of using html attribute. This allow XSS injection (what if the gadget.state.author contain html?). Instead, you should do something like:

header_text_element = domsugar('p', [
  'By ',
  domsugar('strong', {text: gadget.state.author}),
  ' on ',
  gadget.state.modification_date,
  ':'
])

[Rafael Monnerat]

Thanks, I forgot I could use raw string at the list.

[Romain Courteaud]

@rafael if you want to inject HTML in the page, please use the html_viewer gadget which cleans the html input.

[Rafael Monnerat]

I didnt know this gadget, I will check it.