Prevent XSS attacks with wmd using the google-caja html sanitizer.

[osqa.git] / forum / skins / default / templates / question_edit.html
diff --git a/forum/skins/default/templates/question_edit.html b/forum/skins/default/templates/question_edit.html

index 69bf688ef6df0bae9bd98768e5c1c5a5f3fb585a..4f4395080af6cc136e1e8796111129f745f13941 100644 (file)
--- a/forum/skins/default/templates/question_edit.html
+++ b/forum/skins/default/templates/question_edit.html
@@ -6,6 +6,7 @@
  {% block forejs %}
          <script type='text/javascript' src='{% media  "/media/js/wmd/showdown.js" %}'></script>
          <script type='text/javascript' src='{% media  "/media/js/wmd/wmd.js" %}'></script>
+        <script type='text/javascript' src='{% media  "/media/js/html_sanitizer.js" %}'></script>
          <link rel="stylesheet" type="text/css" href="{% media  "/media/js/wmd/wmd.css" %}" />
          <script type="text/javascript">
                 //todo move javascript out        
@@ -26,7 +27,7 @@
              });
              
              //Tags autocomplete action
-               $("#id_tags").autocomplete("/matching_tags/", {
+               $("#id_tags").autocomplete("{% url matching_tags %}", {
                         matchContains: true,
                  max: 20,
                  multiple: true,
@@ -41,11 +42,11 @@
                      return row.n;
                  }*/
                  formatItem: function(row, i, max, value) {
-                    return row[1].split(".")[0] + " (" + row[1].split(".")[1] + ")";
+                    return row[1] + " (" + row[2] + ")";
                  },
  
                  formatResult: function(row, i, max, value){
-                    return row[0];
+                    return row[1];
                  }
                  
              });         
@@ -88,11 +89,12 @@
          
  {% block content %}
  <div id="main-bar" class="headNormal">
-    {% trans "Edit question" %} [<a href="{{ question.get_absolute_url }}">{% trans "back" %}</a>]
+    {% block edittype %}{% trans "Edit question" %}{% endblock %} [<a href="{{ question.get_absolute_url }}">{% trans "back" %}</a>]
  </div>
  <div id="main-body" class="ask-body">
      <div id="askform">
-        <form id="fmedit" action="{% url edit_question question.id %}" method="post" >
+        <form id="fmedit" action="" method="post">
+            {% csrf_token %}
              <label for="id_revision" ><strong>{% trans "revision" %}:</strong></label> <br/> 
              {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul }}{% endif %}
              <div style="vertical-align:middle">
@@ -116,6 +118,7 @@
                              <td>
                                  <span id="pre-collapse" title="{% trans "Toggle the real time Markdown editor preview" %}">{% trans "toggle preview" %}</span>
                              </td>
+                            <td style="text-align: right;" id="editor-metrics"></td>
                              {% if settings.WIKI_ON %}
                              <td style="text-align:right;">
                                  {{ form.wiki }} <span style="color:#000;cursor:help" title="{{form.wiki.help_text}}">{{ form.wiki.label_tag }} </span>
@@ -139,6 +142,15 @@
              <div class="title-desc">
                  {{ form.summary.help_text }}
              </div>
+            
+            {% if form.recaptcha %}
+            <div class="question-captcha" style="float: left">
+               {{ form.recaptcha.errors }}
+               {{ form.recaptcha }}
+            </div>
+            <div class="clear"></div>
+            {% endif %}
+            
              <div class="error" ></div>
              <input type="button" value="{% trans "Save edit" %}" class="submit" onclick="submitClicked(event, this.form)" />
              <input type="button" value="{% trans "Cancel" %}" class="submit" onclick="submitClicked(event, null); history.back(-1);" />