diff --git a/source/Ox/js/HTML.js b/source/Ox/js/HTML.js index ebb2834d..136a4135 100644 --- a/source/Ox/js/HTML.js +++ b/source/Ox/js/HTML.js @@ -49,7 +49,7 @@ tag: { a: [ [ - /]*?href="((https?:\/\/|\/).+?)".*?>/gi, + /]*?href="((https?:\/\/|mailto:|\/).+?)".*?>/gi, '', ], [ @@ -333,12 +333,16 @@ Ox.sanitizeHTML Takes untrusted HTML and returns something trustworthy > Ox.sanitizeHTML('http://foo.com, bar') 'http://foo.com, bar' - > Ox.sanitizeHTML('http://foo.com/foobar?foo, bar') - 'http://foo.com/foobar?foo, bar' + > Ox.sanitizeHTML('http://foo.com/foo?bar, bar') + 'http://foo.com/foo?bar, bar' > Ox.sanitizeHTML('(see: www.foo.com)') '(see: www.foo.com)' > Ox.sanitizeHTML('foo@bar.com') 'foo@bar.com' + > Ox.sanitizeHTML('foo') + 'foo' + > Ox.sanitizeHTML('foo') + 'foo' > Ox.sanitizeHTML('foo') 'foo' > Ox.sanitizeHTML('foo') @@ -356,68 +360,33 @@ > Ox.sanitizeHTML('foo') 'foo' @*/ - Ox.sanitizeHTML = (function() { - var defaultTags = [ - // inline formatting - 'b', 'code', 'i', 's', 'sub', 'sup', 'u', - // block formatting - 'blockquote', 'h1', 'h2', 'h3', 'p', 'pre', - // lists - 'li', 'ol', 'ul', - // tables - 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', - // other - 'a', 'br', 'img', - // special - 'rtl', '[]' - ], - parse = { - a: { - ']*?href="((https?:\/\/|\/).+?)".*?>': '', - '<\/a>': '' - }, - img: { - ']*?src="((https?:\/\/|\/).+?)".*?>': '' - }, - rtl: { - '': '
', - '<\/rtl>': '
' - }, - '*': function(tag) { - var ret = {}; - ret['<(/?' + tag + ') ?/?>'] = '<{1}>'; - return ret; - } - }, - tab = '\t'; - return function(html, tags, wikilinks) { - var matches = []; - tags = tags || defaultTags; - // html = Ox.clean(html); fixme: can this be a parameter? - if (tags.indexOf('[]') > -1) { - html = html.replace(/\[((https?:\/\/|\/).+?) (.+?)\]/gi, '$3'); - tags = tags.filter(function(tag) { - return tag != '[]'; - }); - } - tags.forEach(function(tag) { - var array = replace.tag[tag] || replace.tag['*'](tag); - Ox.forEach(array, function(value) { - html = html.replace(value[0], function() { - matches.push(Ox.formatString(value[1], arguments)); - return salt.join(matches.length - 1); - }); + Ox.sanitizeHTML = function(html, tags) { + var matches = []; + tags = tags || defaultTags; + // html = Ox.clean(html); fixme: can this be a parameter? + if (tags.indexOf('[]') > -1) { + html = html.replace(/\[((https?:\/\/|mailto:|\/).+?) (.+?)\]/gi, '$3'); + tags = tags.filter(function(tag) { + return tag != '[]'; + }); + } + tags.forEach(function(tag) { + var array = replace.tag[tag] || replace.tag['*'](tag); + Ox.forEach(array, function(value) { + html = html.replace(value[0], function() { + matches.push(Ox.formatString(value[1], arguments)); + return salt.join(matches.length - 1); }); }); - html = Ox.addLinks(Ox.encodeHTMLEntities(html), true); - matches.forEach(function(match, i) { - html = html.replace(new RegExp(salt.join(i)), match); - }); - html = html.replace(/\n\n/g, '

'); - // Close extra opening and remove extra closing tags. - // Note: this converts ''' to "'" and '"' to '"' - return Ox.normalizeHTML(html); - }; - }()); + }); + html = Ox.addLinks(Ox.encodeHTMLEntities(html), true); + matches.forEach(function(match, i) { + html = html.replace(new RegExp(salt.join(i)), match); + }); + html = html.replace(/\n\n/g, '

'); + // Close extra opening and remove extra closing tags. + // Note: this converts ''' to "'" and '"' to '"' + return Ox.normalizeHTML(html); + }; }());