Commit Graph

9 Commits

Author SHA1 Message Date
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00
Jorge Manrubia 59db345484 Don't lose existing values in case they had been set 2025-10-07 09:42:25 +02:00
Mike Dalessio 58ce8828fa Well, well, well, if it isn't the consequences of my own actions 2025-08-08 14:18:08 -04:00
Mike Dalessio 6bf61b631e Ensure sanitizer config applies to ActionText in production
In production, eager loading prevents the default sanitizer config
from applying to Action Text. Let's explicitly set it.

ref: https://fizzy.37signals.com/5986089/collections/2/cards/1123
2025-08-08 13:50:23 -04:00
Jason Zimdars c964c87d5b Don't strip lightbox attributes 2025-04-30 10:52:47 +02:00
Jason Zimdars 9b7d297027 Add rudimentary support for embedding videos 2025-01-30 16:47:42 -06:00
Jason Zimdars 441c68b8d7 Add data-turbo-frame attribute to links in comments 2025-01-30 15:20:40 -06:00
Jose Farias 4fc7ab1582 Spike potential redcarpet replacement 2024-12-17 00:32:58 -06:00
Jose Farias 2b9c4d9b71 Sanitize rendered markdown 2024-11-29 18:00:50 -06:00