Mike Dalessio
e9cb2956ee
Lightbox uses Stimulus target callbacks instead of data-action
...
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.
Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
Jorge Manrubia
59db345484
Don't lose existing values in case they had been set
2025-10-07 09:42:25 +02:00
Mike Dalessio
58ce8828fa
Well, well, well, if it isn't the consequences of my own actions
2025-08-08 14:18:08 -04:00
Mike Dalessio
6bf61b631e
Ensure sanitizer config applies to ActionText in production
...
In production, eager loading prevents the default sanitizer config
from applying to Action Text. Let's explicitly set it.
ref: https://fizzy.37signals.com/5986089/collections/2/cards/1123
2025-08-08 13:50:23 -04:00
Jason Zimdars
c964c87d5b
Don't strip lightbox attributes
2025-04-30 10:52:47 +02:00
Jason Zimdars
9b7d297027
Add rudimentary support for embedding videos
2025-01-30 16:47:42 -06:00
Jason Zimdars
441c68b8d7
Add data-turbo-frame attribute to links in comments
2025-01-30 15:20:40 -06:00
Jose Farias
4fc7ab1582
Spike potential redcarpet replacement
2024-12-17 00:32:58 -06:00
Jose Farias
2b9c4d9b71
Sanitize rendered markdown
2024-11-29 18:00:50 -06:00