From b6fcc9b79d0d1dd4ad4da95ef9151e656431f11f Mon Sep 17 00:00:00 2001 From: JC Brand Date: Sat, 28 May 2016 11:28:32 +0000 Subject: [PATCH] Don't render unescaped urls. --- spec/chatbox.js | 13 ++++--------- src/utils.js | 32 +++++++++++++++++++------------- 2 files changed, 23 insertions(+), 22 deletions(-) diff --git a/spec/chatbox.js b/spec/chatbox.js index a7b8864b3..ddf7091f7 100644 --- a/spec/chatbox.js +++ b/spec/chatbox.js @@ -862,11 +862,6 @@ }); it("will have properly escaped URLs", function () { - if (/PhantomJS/.test(window.navigator.userAgent)) { - // Flaky under PhantomJS due to timeouts - return; - } - // TODO: make these local urls var message, msg; var contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@localhost'; test_utils.openChatBoxFor(contact_jid); @@ -876,7 +871,7 @@ message = "http://www.opkode.com/'onmouseover='alert(1)'whatever"; test_utils.sendMessage(view, message); }); - waits(500); + waits(50); runs(function () { expect(view.sendMessage).toHaveBeenCalled(); msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content'); @@ -886,7 +881,7 @@ message = 'http://www.opkode.com/"onmouseover="alert(1)"whatever'; test_utils.sendMessage(view, message); }); - waits(500); + waits(50); runs(function () { expect(view.sendMessage).toHaveBeenCalled(); msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content'); @@ -896,7 +891,7 @@ message = "https://en.wikipedia.org/wiki/Ender's_Game"; test_utils.sendMessage(view, message); }); - waits(500); + waits(50); runs(function () { expect(view.sendMessage).toHaveBeenCalled(); msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content'); @@ -906,7 +901,7 @@ message = "https://en.wikipedia.org/wiki/Ender%27s_Game"; test_utils.sendMessage(view, message); }); - waits(500); + waits(50); runs(function () { expect(view.sendMessage).toHaveBeenCalled(); msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content'); diff --git a/src/utils.js b/src/utils.js index 0da69a171..6a115b038 100755 --- a/src/utils.js +++ b/src/utils.js @@ -49,21 +49,27 @@ $.fn.addHyperlinks = function () { if (this.length > 0) { this.each(function (i, obj) { + var prot, escaped_url; var $obj = $(obj); var x = $obj.html(); - _.each(x.match(/\b(https?:\/\/|www\.|https?:\/\/www\.)[^\s<]{2,200}\b/g), function (url) { - isImage(url) - .then(function () { - event.target.className = 'chat-image'; - x = x.replace(url, event.target.outerHTML); - $obj.throttledHTML(x); - }) - .fail(function () { - var prot = url.indexOf('http://') === 0 || url.indexOf('https://') === 0 ? '' : 'http://'; - var escaped_url = encodeURI(decodeURI(url)).replace(/[!'()]/g, escape).replace(/\*/g, "%2A"); - x = x.replace(url, ''+ url + '' ); - $obj.throttledHTML(x); - }); + var list = x.match(/\b(https?:\/\/|www\.|https?:\/\/www\.)[^\s<]{2,200}\b/g ); + if (list) { + for (i=0; i'+ list[i] + '' ); + } + } + $obj.html(x); + _.each(list, function (url) { + isImage(url).then(function () { + var prot = url.indexOf('http://') === 0 || url.indexOf('https://') === 0 ? '' : 'http://'; + var escaped_url = encodeURI(decodeURI(url)).replace(/[!'()]/g, escape).replace(/\*/g, "%2A"); + var new_url = ''+ url + ''; + event.target.className = 'chat-image'; + x = x.replace(new_url, event.target.outerHTML); + $obj.throttledHTML(x); + }); }); }); }