e9cb2956ee
Remove data-action from the sanitizer allowlist to disallow injection of potentially malicious Stimulus actions in user-provided content. The lightbox controller now uses imageTarget callbacks to handle clicks on image links. Also add the file name as a caption in the light box, and fix the caption color for dark mode visibility.
26 lines
1.0 KiB
Plaintext
26 lines
1.0 KiB
Plaintext
<% variant = Attachments::VARIANTS[local_assigns[:in_gallery] ? :small : :large] %>
|
|
<% width = blob.metadata["width"] %>
|
|
<% height = blob.metadata["height"] %>
|
|
|
|
<% if blob.video? %>
|
|
<%= tag.video \
|
|
src: rails_blob_path(blob),
|
|
controls: true,
|
|
preload: :none,
|
|
style: "aspect-ratio: #{width} / #{height};",
|
|
width: width,
|
|
height: height %>
|
|
<% elsif blob.audio? %>
|
|
<audio controls="true" width="100%" preload="metadata">
|
|
<source src="<%= rails_blob_url(blob) %>" type="<%= blob.content_type %>">
|
|
</audio>
|
|
<% elsif blob.variable? %>
|
|
<%= link_to url_for(blob.variant(variant)), data: { lightbox_target: "image", lightbox_caption_value: blob.filename.to_s } do %>
|
|
<%= image_tag url_for(blob.variant(variant)), width: width, height: height %>
|
|
<% end %>
|
|
<% elsif blob.previewable? %>
|
|
<%= image_tag url_for(blob.preview(variant)), width: width, height: height %>
|
|
<% else %>
|
|
<span class="attachment__icon"><%= blob.filename.extension&.downcase.presence || "unknown" %></span>
|
|
<% end %>
|