Closed djstevenson closed 4 years ago
This MUST be fixed before we deploy!
Merging in ticket #228 which is about refactoring NeverTire::View::Comment::Render - closing that ticket as a dupe
Forthcoming PR puts comment rendering into Mojo templates, it's only a couple of percent slower - yet it's way-neater code, and is also safer.
Re-open, PR #229 moved the rendering into templates, but the comments themselves are still rendered by the Markdown processor, which is allowing HTML.
The markdown renderer allows HTML which is passed-through as-is. This is fine for admin-edited content, but not for user comments.
Options: