in Ox.sanitizeHTML, allow mailto: links

This commit is contained in:
rolux 2012-05-27 13:28:08 +02:00
parent 17983efc47
commit cc29f8f832

View file

@ -49,7 +49,7 @@
tag: { tag: {
a: [ a: [
[ [
/<a [^<>]*?href="((https?:\/\/|\/).+?)".*?>/gi, /<a [^<>]*?href="((https?:\/\/|mailto:|\/).+?)".*?>/gi,
'<a href="{1}">', '<a href="{1}">',
], ],
[ [
@ -333,12 +333,16 @@
Ox.sanitizeHTML <f> Takes untrusted HTML and returns something trustworthy Ox.sanitizeHTML <f> Takes untrusted HTML and returns something trustworthy
> Ox.sanitizeHTML('http://foo.com, bar') > Ox.sanitizeHTML('http://foo.com, bar')
'<a href="http://foo.com">http://foo.com</a>, bar' '<a href="http://foo.com">http://foo.com</a>, bar'
> Ox.sanitizeHTML('http://foo.com/foobar?foo, bar') > Ox.sanitizeHTML('http://foo.com/foo?bar, bar')
'<a href="http://foo.com/foobar?foo">http://foo.com/foobar?foo</a>, bar' '<a href="http://foo.com/foo?bar">http://foo.com/foo?bar</a>, bar'
> Ox.sanitizeHTML('(see: www.foo.com)') > Ox.sanitizeHTML('(see: www.foo.com)')
'(see: <a href="http://www.foo.com">www.foo.com</a>)' '(see: <a href="http://www.foo.com">www.foo.com</a>)'
> Ox.sanitizeHTML('foo@bar.com') > Ox.sanitizeHTML('foo@bar.com')
'<a href="mailto:foo@bar.com">foo@bar.com</a>' '<a href="mailto:foo@bar.com">foo@bar.com</a>'
> Ox.sanitizeHTML('<a href="mailto:foo@bar.com">foo</a>')
'<a href="mailto:foo@bar.com">foo</a>'
> Ox.sanitizeHTML('<a href="http://foo.com">foo</a>')
'<a href="http://foo.com">foo</a>'
> Ox.sanitizeHTML('<a href="http://foo.com" onclick="alert()">foo</a>') > Ox.sanitizeHTML('<a href="http://foo.com" onclick="alert()">foo</a>')
'<a href="http://foo.com">foo</a>' '<a href="http://foo.com">foo</a>'
> Ox.sanitizeHTML('<a href="javascript:alert()">foo</a>') > Ox.sanitizeHTML('<a href="javascript:alert()">foo</a>')
@ -356,68 +360,33 @@
> Ox.sanitizeHTML('<b>foo</b></b>') > Ox.sanitizeHTML('<b>foo</b></b>')
'<b>foo</b>' '<b>foo</b>'
@*/ @*/
Ox.sanitizeHTML = (function() { Ox.sanitizeHTML = function(html, tags) {
var defaultTags = [ var matches = [];
// inline formatting tags = tags || defaultTags;
'b', 'code', 'i', 's', 'sub', 'sup', 'u', // html = Ox.clean(html); fixme: can this be a parameter?
// block formatting if (tags.indexOf('[]') > -1) {
'blockquote', 'h1', 'h2', 'h3', 'p', 'pre', html = html.replace(/\[((https?:\/\/|mailto:|\/).+?) (.+?)\]/gi, '<a href="$1">$3</a>');
// lists tags = tags.filter(function(tag) {
'li', 'ol', 'ul', return tag != '[]';
// tables });
'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', }
// other tags.forEach(function(tag) {
'a', 'br', 'img', var array = replace.tag[tag] || replace.tag['*'](tag);
// special Ox.forEach(array, function(value) {
'rtl', '[]' html = html.replace(value[0], function() {
], matches.push(Ox.formatString(value[1], arguments));
parse = { return salt.join(matches.length - 1);
a: {
'<a [^<>]*?href="((https?:\/\/|\/).+?)".*?>': '<a href="{1}">',
'<\/a>': '</a>'
},
img: {
'<img [^<>]*?src="((https?:\/\/|\/).+?)".*?>': '<img src="{1}">'
},
rtl: {
'<rtl>': '<div style="direction: rtl">',
'<\/rtl>': '</div>'
},
'*': function(tag) {
var ret = {};
ret['<(/?' + tag + ') ?/?>'] = '<{1}>';
return ret;
}
},
tab = '\t';
return function(html, tags, wikilinks) {
var matches = [];
tags = tags || defaultTags;
// html = Ox.clean(html); fixme: can this be a parameter?
if (tags.indexOf('[]') > -1) {
html = html.replace(/\[((https?:\/\/|\/).+?) (.+?)\]/gi, '<a href="$1">$3</a>');
tags = tags.filter(function(tag) {
return tag != '[]';
});
}
tags.forEach(function(tag) {
var array = replace.tag[tag] || replace.tag['*'](tag);
Ox.forEach(array, function(value) {
html = html.replace(value[0], function() {
matches.push(Ox.formatString(value[1], arguments));
return salt.join(matches.length - 1);
});
}); });
}); });
html = Ox.addLinks(Ox.encodeHTMLEntities(html), true); });
matches.forEach(function(match, i) { html = Ox.addLinks(Ox.encodeHTMLEntities(html), true);
html = html.replace(new RegExp(salt.join(i)), match); matches.forEach(function(match, i) {
}); html = html.replace(new RegExp(salt.join(i)), match);
html = html.replace(/\n\n/g, '<br/><br/>'); });
// Close extra opening and remove extra closing tags. html = html.replace(/\n\n/g, '<br/><br/>');
// Note: this converts '&apos;' to "'" and '&quot;' to '"' // Close extra opening and remove extra closing tags.
return Ox.normalizeHTML(html); // Note: this converts '&apos;' to "'" and '&quot;' to '"'
}; return Ox.normalizeHTML(html);
}()); };
}()); }());