Topics.post without parsing


  • Global Moderator

    So, I'm pretty sure that Tpoics.post calls filter:post.raw on content. Is there any way of passing a direct HTML string? If not, is there another way of achieving the same tasks as Topic.post? I'm pretty sure it's just Topic.create followed by Topic.reply anyways.


  • Plugin & Theme Dev

    the post-parsing happens on post-request, not before saving the posts.
    So you'd need to switch off any filter:parse.raw calls before post-deliver (of certain posts)?

    As of this code filter:messaging.parse gets called with data-object that contains the parsed message and the original one.
    So using a high priority (or low, I simply can't remember this fact 😄 ) for your hook and replacing data.parsed and data.parsedMessage with data.message inside should fit your needs (even so you wouldn't minimize other plugins performance).


  • Community Rep

    @frissdiegurke said:

    filter:messaging.parse gets called with data-object that contains the parsed message and the original one.

    So using a high priority (or low, I simply can't remember this fact 😄 ) for your hook and replacing data.parsed and data.parsedMessage with data.message inside should fit your needs (even so you wouldn't minimize other plugins performance).

    No, man. It's for chat messages only. @pitaj wants to interact with topic posts.

    UPD: I'll try to dig the subj.


  • Plugin & Theme Dev

    @Mega Ah, my fault. So the real post-parsing works by calling the composer.renderPreview socket-id? because the search for filter:parse.raw doesn't show up any other possibilities 😄 just curious.

    EDIT: my mind is tricking me out. please ignore 🙂


  • Community Rep

    Uhm, it was kinda not so easy to dig it

    @pitaj said:

    So, I'm pretty sure that Tpoics.post calls filter:post.raw on content. Is there any way of passing a direct HTML string? If not, is there another way of achieving the same tasks as Topic.post?

    Yes, Topics.post() entails filter:parse.post and I don't see any possibility to avoid it without core changing.
    https://github.com/NodeBB/NodeBB/blob/master/src/topics/create.js#L255

    But, actually, if you even so wanna include raw html into posts, why would you just create another plugin?

    Let's say BB-code [rawhtml][/rawhtml]. It'll be listening to filter:post.parse and will have priority more than Markdown and friends. Now all what the plugin should do > just replace < > " inside BB-code to right symbols, and removes [rawhtml][/rawhtml] from post.

    What do you think, will it okay for you? :3


  • Global Moderator

    @Mega that solution has XSS vulnerability written all over it. It I add that tag as possible, anyone could use it in a post, which could add script tags, etc. I could maybe add a private key or something, but that is still dangerous.


  • Community Rep

    @Mega said:

    What do you think, will it okay for you? :3

    @pitaj said:

    that solution has XSS vulnerability

    Yup ^_^


 

| |

Looks like your connection to NodeBB was lost, please wait while we try to reconnect.