Don't render unescaped urls.
This commit is contained in:
parent
5a1b308edd
commit
b6fcc9b79d
@ -862,11 +862,6 @@
|
|||||||
});
|
});
|
||||||
|
|
||||||
it("will have properly escaped URLs", function () {
|
it("will have properly escaped URLs", function () {
|
||||||
if (/PhantomJS/.test(window.navigator.userAgent)) {
|
|
||||||
// Flaky under PhantomJS due to timeouts
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
// TODO: make these local urls
|
|
||||||
var message, msg;
|
var message, msg;
|
||||||
var contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@localhost';
|
var contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@localhost';
|
||||||
test_utils.openChatBoxFor(contact_jid);
|
test_utils.openChatBoxFor(contact_jid);
|
||||||
@ -876,7 +871,7 @@
|
|||||||
message = "http://www.opkode.com/'onmouseover='alert(1)'whatever";
|
message = "http://www.opkode.com/'onmouseover='alert(1)'whatever";
|
||||||
test_utils.sendMessage(view, message);
|
test_utils.sendMessage(view, message);
|
||||||
});
|
});
|
||||||
waits(500);
|
waits(50);
|
||||||
runs(function () {
|
runs(function () {
|
||||||
expect(view.sendMessage).toHaveBeenCalled();
|
expect(view.sendMessage).toHaveBeenCalled();
|
||||||
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
||||||
@ -886,7 +881,7 @@
|
|||||||
message = 'http://www.opkode.com/"onmouseover="alert(1)"whatever';
|
message = 'http://www.opkode.com/"onmouseover="alert(1)"whatever';
|
||||||
test_utils.sendMessage(view, message);
|
test_utils.sendMessage(view, message);
|
||||||
});
|
});
|
||||||
waits(500);
|
waits(50);
|
||||||
runs(function () {
|
runs(function () {
|
||||||
expect(view.sendMessage).toHaveBeenCalled();
|
expect(view.sendMessage).toHaveBeenCalled();
|
||||||
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
||||||
@ -896,7 +891,7 @@
|
|||||||
message = "https://en.wikipedia.org/wiki/Ender's_Game";
|
message = "https://en.wikipedia.org/wiki/Ender's_Game";
|
||||||
test_utils.sendMessage(view, message);
|
test_utils.sendMessage(view, message);
|
||||||
});
|
});
|
||||||
waits(500);
|
waits(50);
|
||||||
runs(function () {
|
runs(function () {
|
||||||
expect(view.sendMessage).toHaveBeenCalled();
|
expect(view.sendMessage).toHaveBeenCalled();
|
||||||
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
||||||
@ -906,7 +901,7 @@
|
|||||||
message = "https://en.wikipedia.org/wiki/Ender%27s_Game";
|
message = "https://en.wikipedia.org/wiki/Ender%27s_Game";
|
||||||
test_utils.sendMessage(view, message);
|
test_utils.sendMessage(view, message);
|
||||||
});
|
});
|
||||||
waits(500);
|
waits(50);
|
||||||
runs(function () {
|
runs(function () {
|
||||||
expect(view.sendMessage).toHaveBeenCalled();
|
expect(view.sendMessage).toHaveBeenCalled();
|
||||||
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
msg = view.$el.find('.chat-content').find('.chat-message').last().find('.chat-msg-content');
|
||||||
|
24
src/utils.js
24
src/utils.js
@ -49,19 +49,25 @@
|
|||||||
$.fn.addHyperlinks = function () {
|
$.fn.addHyperlinks = function () {
|
||||||
if (this.length > 0) {
|
if (this.length > 0) {
|
||||||
this.each(function (i, obj) {
|
this.each(function (i, obj) {
|
||||||
|
var prot, escaped_url;
|
||||||
var $obj = $(obj);
|
var $obj = $(obj);
|
||||||
var x = $obj.html();
|
var x = $obj.html();
|
||||||
_.each(x.match(/\b(https?:\/\/|www\.|https?:\/\/www\.)[^\s<]{2,200}\b/g), function (url) {
|
var list = x.match(/\b(https?:\/\/|www\.|https?:\/\/www\.)[^\s<]{2,200}\b/g );
|
||||||
isImage(url)
|
if (list) {
|
||||||
.then(function () {
|
for (i=0; i<list.length; i++) {
|
||||||
event.target.className = 'chat-image';
|
prot = list[i].indexOf('http://') === 0 || list[i].indexOf('https://') === 0 ? '' : 'http://';
|
||||||
x = x.replace(url, event.target.outerHTML);
|
escaped_url = encodeURI(decodeURI(list[i])).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
|
||||||
$obj.throttledHTML(x);
|
x = x.replace(list[i], '<a target="_blank" rel="noopener" href="' + prot + escaped_url + '">'+ list[i] + '</a>' );
|
||||||
})
|
}
|
||||||
.fail(function () {
|
}
|
||||||
|
$obj.html(x);
|
||||||
|
_.each(list, function (url) {
|
||||||
|
isImage(url).then(function () {
|
||||||
var prot = url.indexOf('http://') === 0 || url.indexOf('https://') === 0 ? '' : 'http://';
|
var prot = url.indexOf('http://') === 0 || url.indexOf('https://') === 0 ? '' : 'http://';
|
||||||
var escaped_url = encodeURI(decodeURI(url)).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
|
var escaped_url = encodeURI(decodeURI(url)).replace(/[!'()]/g, escape).replace(/\*/g, "%2A");
|
||||||
x = x.replace(url, '<a target="_blank" rel="noopener" href="' + prot + escaped_url + '">'+ url + '</a>' );
|
var new_url = '<a target="_blank" rel="noopener" href="' + prot + escaped_url + '">'+ url + '</a>';
|
||||||
|
event.target.className = 'chat-image';
|
||||||
|
x = x.replace(new_url, event.target.outerHTML);
|
||||||
$obj.throttledHTML(x);
|
$obj.throttledHTML(x);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
Loading…
Reference in New Issue
Block a user