From cc29f8f83220bf5bbee81cd7c8bb06ccc3a508e9 Mon Sep 17 00:00:00 2001
From: rolux <rolux@rolux.org>
Date: Sun, 27 May 2012 13:28:08 +0200
Subject: [PATCH] in Ox.sanitizeHTML, allow mailto: links

---
 source/Ox/js/HTML.js | 97 +++++++++++++++-----------------------------
 1 file changed, 33 insertions(+), 64 deletions(-)

diff --git a/source/Ox/js/HTML.js b/source/Ox/js/HTML.js
index ebb2834d..136a4135 100644
--- a/source/Ox/js/HTML.js
+++ b/source/Ox/js/HTML.js
@@ -49,7 +49,7 @@
             tag: {
                 a: [
                     [
-                        /<a [^<>]*?href="((https?:\/\/|\/).+?)".*?>/gi,
+                        /<a [^<>]*?href="((https?:\/\/|mailto:|\/).+?)".*?>/gi,
                         '<a href="{1}">',
                     ],
                     [
@@ -333,12 +333,16 @@
     Ox.sanitizeHTML <f> Takes untrusted HTML and returns something trustworthy
         > Ox.sanitizeHTML('http://foo.com, bar')
         '<a href="http://foo.com">http://foo.com</a>, bar'
-        > Ox.sanitizeHTML('http://foo.com/foobar?foo, bar')
-        '<a href="http://foo.com/foobar?foo">http://foo.com/foobar?foo</a>, bar'
+        > Ox.sanitizeHTML('http://foo.com/foo?bar, bar')
+        '<a href="http://foo.com/foo?bar">http://foo.com/foo?bar</a>, bar'
         > Ox.sanitizeHTML('(see: www.foo.com)')
         '(see: <a href="http://www.foo.com">www.foo.com</a>)'
         > Ox.sanitizeHTML('foo@bar.com')
         '<a href="mailto:foo@bar.com">foo@bar.com</a>'
+        > Ox.sanitizeHTML('<a href="mailto:foo@bar.com">foo</a>')
+        '<a href="mailto:foo@bar.com">foo</a>'
+        > Ox.sanitizeHTML('<a href="http://foo.com">foo</a>')
+        '<a href="http://foo.com">foo</a>'
         > Ox.sanitizeHTML('<a href="http://foo.com" onclick="alert()">foo</a>')
         '<a href="http://foo.com">foo</a>'
         > Ox.sanitizeHTML('<a href="javascript:alert()">foo</a>')
@@ -356,68 +360,33 @@
         > Ox.sanitizeHTML('<b>foo</b></b>')
         '<b>foo</b>'
     @*/
-    Ox.sanitizeHTML = (function() {
-        var defaultTags = [
-                // inline formatting
-                'b', 'code', 'i', 's', 'sub', 'sup', 'u',
-                // block formatting
-                'blockquote', 'h1', 'h2', 'h3', 'p', 'pre',
-                // lists
-                'li', 'ol', 'ul',
-                // tables
-                'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr',
-                // other
-                'a', 'br', 'img',
-                // special
-                'rtl', '[]'
-            ],
-            parse = {
-                a: {
-                    '<a [^<>]*?href="((https?:\/\/|\/).+?)".*?>': '<a href="{1}">',
-                    '<\/a>': '</a>'
-                },
-                img: {
-                    '<img [^<>]*?src="((https?:\/\/|\/).+?)".*?>': '<img src="{1}">'
-                },
-                rtl: {
-                    '<rtl>': '<div style="direction: rtl">',
-                    '<\/rtl>': '</div>'
-                },
-                '*': function(tag) {
-                    var ret = {};
-                    ret['<(/?' + tag + ') ?/?>'] = '<{1}>';
-                    return ret;
-                }
-            },
-            tab = '\t';
-        return function(html, tags, wikilinks) {
-            var matches = [];
-            tags = tags || defaultTags;
-            // html = Ox.clean(html); fixme: can this be a parameter?
-            if (tags.indexOf('[]') > -1) {
-                html = html.replace(/\[((https?:\/\/|\/).+?) (.+?)\]/gi, '<a href="$1">$3</a>');
-                tags = tags.filter(function(tag) {
-                    return tag != '[]';
-                });
-            }
-            tags.forEach(function(tag) {
-                var array = replace.tag[tag] || replace.tag['*'](tag);
-                Ox.forEach(array, function(value) {
-                    html = html.replace(value[0], function() {
-                        matches.push(Ox.formatString(value[1], arguments));
-                        return salt.join(matches.length - 1);
-                    });
+    Ox.sanitizeHTML = function(html, tags) {
+        var matches = [];
+        tags = tags || defaultTags;
+        // html = Ox.clean(html); fixme: can this be a parameter?
+        if (tags.indexOf('[]') > -1) {
+            html = html.replace(/\[((https?:\/\/|mailto:|\/).+?) (.+?)\]/gi, '<a href="$1">$3</a>');
+            tags = tags.filter(function(tag) {
+                return tag != '[]';
+            });
+        }
+        tags.forEach(function(tag) {
+            var array = replace.tag[tag] || replace.tag['*'](tag);
+            Ox.forEach(array, function(value) {
+                html = html.replace(value[0], function() {
+                    matches.push(Ox.formatString(value[1], arguments));
+                    return salt.join(matches.length - 1);
                 });
             });
-            html = Ox.addLinks(Ox.encodeHTMLEntities(html), true);
-            matches.forEach(function(match, i) {
-                html = html.replace(new RegExp(salt.join(i)), match);
-            });
-            html = html.replace(/\n\n/g, '<br/><br/>');
-            // Close extra opening and remove extra closing tags.
-            // Note: this converts '&apos;' to "'" and '&quot;' to '"'
-            return Ox.normalizeHTML(html);
-        };
-    }());
+        });
+        html = Ox.addLinks(Ox.encodeHTMLEntities(html), true);
+        matches.forEach(function(match, i) {
+            html = html.replace(new RegExp(salt.join(i)), match);
+        });
+        html = html.replace(/\n\n/g, '<br/><br/>');
+        // Close extra opening and remove extra closing tags.
+        // Note: this converts '&apos;' to "'" and '&quot;' to '"'
+        return Ox.normalizeHTML(html);
+    };
 
 }());