in Ox.sanitizeHTML, allow mailto: links
This commit is contained in:
parent
17983efc47
commit
cc29f8f832
1 changed files with 33 additions and 64 deletions
|
@ -49,7 +49,7 @@
|
||||||
tag: {
|
tag: {
|
||||||
a: [
|
a: [
|
||||||
[
|
[
|
||||||
/<a [^<>]*?href="((https?:\/\/|\/).+?)".*?>/gi,
|
/<a [^<>]*?href="((https?:\/\/|mailto:|\/).+?)".*?>/gi,
|
||||||
'<a href="{1}">',
|
'<a href="{1}">',
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
|
@ -333,12 +333,16 @@
|
||||||
Ox.sanitizeHTML <f> Takes untrusted HTML and returns something trustworthy
|
Ox.sanitizeHTML <f> Takes untrusted HTML and returns something trustworthy
|
||||||
> Ox.sanitizeHTML('http://foo.com, bar')
|
> Ox.sanitizeHTML('http://foo.com, bar')
|
||||||
'<a href="http://foo.com">http://foo.com</a>, bar'
|
'<a href="http://foo.com">http://foo.com</a>, bar'
|
||||||
> Ox.sanitizeHTML('http://foo.com/foobar?foo, bar')
|
> Ox.sanitizeHTML('http://foo.com/foo?bar, bar')
|
||||||
'<a href="http://foo.com/foobar?foo">http://foo.com/foobar?foo</a>, bar'
|
'<a href="http://foo.com/foo?bar">http://foo.com/foo?bar</a>, bar'
|
||||||
> Ox.sanitizeHTML('(see: www.foo.com)')
|
> Ox.sanitizeHTML('(see: www.foo.com)')
|
||||||
'(see: <a href="http://www.foo.com">www.foo.com</a>)'
|
'(see: <a href="http://www.foo.com">www.foo.com</a>)'
|
||||||
> Ox.sanitizeHTML('foo@bar.com')
|
> Ox.sanitizeHTML('foo@bar.com')
|
||||||
'<a href="mailto:foo@bar.com">foo@bar.com</a>'
|
'<a href="mailto:foo@bar.com">foo@bar.com</a>'
|
||||||
|
> Ox.sanitizeHTML('<a href="mailto:foo@bar.com">foo</a>')
|
||||||
|
'<a href="mailto:foo@bar.com">foo</a>'
|
||||||
|
> Ox.sanitizeHTML('<a href="http://foo.com">foo</a>')
|
||||||
|
'<a href="http://foo.com">foo</a>'
|
||||||
> Ox.sanitizeHTML('<a href="http://foo.com" onclick="alert()">foo</a>')
|
> Ox.sanitizeHTML('<a href="http://foo.com" onclick="alert()">foo</a>')
|
||||||
'<a href="http://foo.com">foo</a>'
|
'<a href="http://foo.com">foo</a>'
|
||||||
> Ox.sanitizeHTML('<a href="javascript:alert()">foo</a>')
|
> Ox.sanitizeHTML('<a href="javascript:alert()">foo</a>')
|
||||||
|
@ -356,68 +360,33 @@
|
||||||
> Ox.sanitizeHTML('<b>foo</b></b>')
|
> Ox.sanitizeHTML('<b>foo</b></b>')
|
||||||
'<b>foo</b>'
|
'<b>foo</b>'
|
||||||
@*/
|
@*/
|
||||||
Ox.sanitizeHTML = (function() {
|
Ox.sanitizeHTML = function(html, tags) {
|
||||||
var defaultTags = [
|
var matches = [];
|
||||||
// inline formatting
|
tags = tags || defaultTags;
|
||||||
'b', 'code', 'i', 's', 'sub', 'sup', 'u',
|
// html = Ox.clean(html); fixme: can this be a parameter?
|
||||||
// block formatting
|
if (tags.indexOf('[]') > -1) {
|
||||||
'blockquote', 'h1', 'h2', 'h3', 'p', 'pre',
|
html = html.replace(/\[((https?:\/\/|mailto:|\/).+?) (.+?)\]/gi, '<a href="$1">$3</a>');
|
||||||
// lists
|
tags = tags.filter(function(tag) {
|
||||||
'li', 'ol', 'ul',
|
return tag != '[]';
|
||||||
// tables
|
});
|
||||||
'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr',
|
}
|
||||||
// other
|
tags.forEach(function(tag) {
|
||||||
'a', 'br', 'img',
|
var array = replace.tag[tag] || replace.tag['*'](tag);
|
||||||
// special
|
Ox.forEach(array, function(value) {
|
||||||
'rtl', '[]'
|
html = html.replace(value[0], function() {
|
||||||
],
|
matches.push(Ox.formatString(value[1], arguments));
|
||||||
parse = {
|
return salt.join(matches.length - 1);
|
||||||
a: {
|
|
||||||
'<a [^<>]*?href="((https?:\/\/|\/).+?)".*?>': '<a href="{1}">',
|
|
||||||
'<\/a>': '</a>'
|
|
||||||
},
|
|
||||||
img: {
|
|
||||||
'<img [^<>]*?src="((https?:\/\/|\/).+?)".*?>': '<img src="{1}">'
|
|
||||||
},
|
|
||||||
rtl: {
|
|
||||||
'<rtl>': '<div style="direction: rtl">',
|
|
||||||
'<\/rtl>': '</div>'
|
|
||||||
},
|
|
||||||
'*': function(tag) {
|
|
||||||
var ret = {};
|
|
||||||
ret['<(/?' + tag + ') ?/?>'] = '<{1}>';
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
},
|
|
||||||
tab = '\t';
|
|
||||||
return function(html, tags, wikilinks) {
|
|
||||||
var matches = [];
|
|
||||||
tags = tags || defaultTags;
|
|
||||||
// html = Ox.clean(html); fixme: can this be a parameter?
|
|
||||||
if (tags.indexOf('[]') > -1) {
|
|
||||||
html = html.replace(/\[((https?:\/\/|\/).+?) (.+?)\]/gi, '<a href="$1">$3</a>');
|
|
||||||
tags = tags.filter(function(tag) {
|
|
||||||
return tag != '[]';
|
|
||||||
});
|
|
||||||
}
|
|
||||||
tags.forEach(function(tag) {
|
|
||||||
var array = replace.tag[tag] || replace.tag['*'](tag);
|
|
||||||
Ox.forEach(array, function(value) {
|
|
||||||
html = html.replace(value[0], function() {
|
|
||||||
matches.push(Ox.formatString(value[1], arguments));
|
|
||||||
return salt.join(matches.length - 1);
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
html = Ox.addLinks(Ox.encodeHTMLEntities(html), true);
|
});
|
||||||
matches.forEach(function(match, i) {
|
html = Ox.addLinks(Ox.encodeHTMLEntities(html), true);
|
||||||
html = html.replace(new RegExp(salt.join(i)), match);
|
matches.forEach(function(match, i) {
|
||||||
});
|
html = html.replace(new RegExp(salt.join(i)), match);
|
||||||
html = html.replace(/\n\n/g, '<br/><br/>');
|
});
|
||||||
// Close extra opening and remove extra closing tags.
|
html = html.replace(/\n\n/g, '<br/><br/>');
|
||||||
// Note: this converts ''' to "'" and '"' to '"'
|
// Close extra opening and remove extra closing tags.
|
||||||
return Ox.normalizeHTML(html);
|
// Note: this converts ''' to "'" and '"' to '"'
|
||||||
};
|
return Ox.normalizeHTML(html);
|
||||||
}());
|
};
|
||||||
|
|
||||||
}());
|
}());
|
||||||
|
|
Loading…
Reference in a new issue