]> git.openstreetmap.org Git - osqa.git/blobdiff - forum/skins/default/templates/ask.html
Prevent XSS attacks with wmd using the google-caja html sanitizer.
[osqa.git] / forum / skins / default / templates / ask.html
index bb4ad67357cd8e3154ff1669f27737aaa97a0428..ec5b1a8e80d6ac2fd5fb38cd541f9bdc9a1beff9 100644 (file)
@@ -5,6 +5,7 @@
 {% block forejs %}
         <script type='text/javascript' src='{% media  "/media/js/wmd/showdown.js" %}'></script>
         <script type='text/javascript' src='{% media  "/media/js/wmd/wmd.js" %}'></script>
+        <script type='text/javascript' src='{% media  "/media/js/html_sanitizer.js" %}'></script>
         <link rel="stylesheet" type="text/css" href="{% media  "/media/js/wmd/wmd.css" %}" />
         <script type="text/html" id="question-summary-template">
             <div class="answer-summary">
@@ -33,7 +34,7 @@
             });
 
             //Tags autocomplete action
-               $("#id_tags").autocomplete("/matching_tags/", {
+               $("#id_tags").autocomplete("{% url matching_tags %}", {
                 minChars: 1,
                        matchContains: true,
                 max: 10,
@@ -94,6 +95,7 @@
 <div id="main-body" class="ask-body">
     <div id="askform">
         <form id="fmask" action="" method="post" accept-charset="utf-8">
+            {% csrf_token %}
                        {% if not request.user.is_authenticated %}
             <div class="message">
                 <span class="strong big">{% trans "You are welcome to start submitting your question anonymously." %}</span>
                        <p class="title-desc">
                                {{ form.tags.help_text }}
                        </p>
+                       
+            {% if form.recaptcha %}
+            <div class="question-captcha" style="float: left">
+               {{ form.recaptcha.errors }}
+               {{ form.recaptcha }}
+            </div>
+            <div class="clear"></div>
+            {% endif %}
+                       
             {% if not request.user.is_authenticated %}                                                                        
             <input name="ask" type="button" value="{% trans "Login/signup to post your question" %}" class="submit" onclick="submitClicked(event, this.form)"/>
                        {% else %}