').html(html).html();
};
/*@
Ox.sanitizeHTML
Takes untrusted HTML and returns something trustworthy
> Ox.sanitizeHTML('http://foo.com, bar')
'http://foo.com, bar'
> Ox.sanitizeHTML('http://foo.com/foobar?foo, bar')
'http://foo.com/foobar?foo, bar'
> Ox.sanitizeHTML('(see: www.foo.com)')
'(see: www.foo.com)'
> Ox.sanitizeHTML('foo@bar.com')
'foo@bar.com'
> Ox.sanitizeHTML('foo')
'foo'
> Ox.sanitizeHTML('foo')
'<a href="javascript:alert()">foo'
> Ox.sanitizeHTML('[http://foo.com foo]')
'foo'
> Ox.sanitizeHTML('foo')
'foo
'
> Ox.sanitizeHTML('')
'<script>alert()</script>'
> Ox.sanitizeHTML('\'foo\' < \'bar\' && "foo" > "bar"')
'\'foo\' < \'bar\' && "foo" > "bar"'
> Ox.sanitizeHTML('foo')
'foo'
> Ox.sanitizeHTML('foo')
'foo'
@*/
Ox.sanitizeHTML = (function() {
var defaultTags = [
// inline formatting
'b', 'code', 'i', 's', 'sub', 'sup', 'u',
// block formatting
'blockquote', 'h1', 'h2', 'h3', 'p', 'pre',
// lists
'li', 'ol', 'ul',
// tables
'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr',
// other
'a', 'br', 'img',
// special
'rtl', '[]'
],
parse = {
a: {
']*?href="((https?:\/\/|\/).+?)".*?>': '',
'<\/a>': ''
},
img: {
']*?src="((https?:\/\/|\/).+?)".*?>': ''
},
rtl: {
'': '',
'<\/rtl>': '
'
},
'*': function(tag) {
var ret = {};
ret['<(/?' + tag + ') ?/?>'] = '<{1}>';
return ret;
}
},
tab = '\t';
return function(html, tags, wikilinks) {
var matches = [];
tags = tags || defaultTags;
// html = Ox.clean(html); fixme: can this be a parameter?
if (tags.indexOf('[]') > -1) {
html = html.replace(/\[((https?:\/\/|\/).+?) (.+?)\]/gi, '$3');
tags = tags.filter(function(tag) {
return tag != '[]';
});
}
tags.forEach(function(tag) {
var array = replace.tag[tag] || replace.tag['*'](tag);
Ox.forEach(array, function(value) {
html = html.replace(value[0], function() {
matches.push(Ox.formatString(value[1], arguments));
return salt.join(matches.length - 1);
});
});
});
html = Ox.addLinks(Ox.encodeHTMLEntities(html), true);
matches.forEach(function(match, i) {
html = html.replace(new RegExp(salt.join(i)), match);
});
html = html.replace(/\n\n/g, '
');
// Close extra opening and remove extra closing tags.
// Note: this converts ''' to "'" and '"' to '"'
return Ox.normalizeHTML(html);
};
}());
}());