Fix tests, let templating handle html escaping

Note: as a Chrome app, we're also protected from xss by the content security policy. // FREEBIE
2015-07-04 23:08:25 -07:00 · 2015-07-04 23:08:25 -07:00 · f5f4c128f9
commit f5f4c128f9
parent fcc873ffca
2 changed files with 4 additions and 11 deletions
--- a/background.html
+++ b/background.html
@ -65,7 +65,7 @@
      {{> avatar }}
      <div class="bubble">
          <div class='attachments'></div>
-          <p class="content">{{& message }}</p>
+          <p class="content">{{ message }}</p>
          <div class='meta'>
            <span class='timestamp'>{{ timestamp }}</span>
            <span class='checkmark hide'>✓</span>
--- a/js/views/message_view.js
+++ b/js/views/message_view.js
@ -52,19 +52,11 @@
                this.$el.removeClass('control');
            }
        },
-        autoLink: function(text) {
-            return text.replace(/(^|[\s\n]|<br\/?>)((?:https?|ftp):\/\/[\-A-Z0-9+\u0026\u2019@#\/%?=()~_|!:,.;]*[\-A-Z0-9+\u0026@#\/%=~()_|])/gi, "$1<a href='$2' target='_blank'>$2</a>");
-        },
-        sanitizeMessage: function (message) {
-            var element = document.createElement('span');
-            element.innerText = message;
-            return element.innerHTML.trim().replace(/\n/g, '<br>');
-        },
        render: function() {
            var contact = this.model.getContact();
            this.$el.html(
                Mustache.render(this.template, {
-                    message: this.sanitizeMessage(this.model.get('body')),
+                    message: this.model.get('body'),
                    timestamp: moment(this.model.get('sent_at')).fromNow(),
                    sender: (contact && contact.getTitle()) || '',
                    avatar: (contact && contact.getAvatar())
@ -74,7 +66,8 @@
            twemoji.parse(this.el, { base: '/images/twemoji/', size: 16 });

            var content = this.$('.content');
-            content.html(this.autoLink(content.html()));
+            var escaped = content.html();
+            content.html(escaped.replace(/\n/g, '<br>').replace(/(^|[\s\n]|<br\/?>)((?:https?|ftp):\/\/[\-A-Z0-9+\u0026\u2019@#\/%?=()~_|!:,.;]*[\-A-Z0-9+\u0026@#\/%=~()_|])/gi, "$1<a href='$2' target='_blank'>$2</a>"));

            this.renderDelivered();
            this.renderPending();