From f5f4c128f96f343edceeb4a2b27cc3fbb80dedd6 Mon Sep 17 00:00:00 2001 From: lilia Date: Sat, 4 Jul 2015 23:08:25 -0700 Subject: [PATCH] Fix tests, let templating handle html escaping Note: as a Chrome app, we're also protected from xss by the content security policy. // FREEBIE --- background.html | 2 +- js/views/message_view.js | 13 +++---------- 2 files changed, 4 insertions(+), 11 deletions(-) diff --git a/background.html b/background.html index c1fa8855..2147cad7 100644 --- a/background.html +++ b/background.html @@ -65,7 +65,7 @@ {{> avatar }}
-

{{& message }}

+

{{ message }}

{{ timestamp }} diff --git a/js/views/message_view.js b/js/views/message_view.js index 25f63567..e5b5d0bc 100644 --- a/js/views/message_view.js +++ b/js/views/message_view.js @@ -52,19 +52,11 @@ this.$el.removeClass('control'); } }, - autoLink: function(text) { - return text.replace(/(^|[\s\n]|)((?:https?|ftp):\/\/[\-A-Z0-9+\u0026\u2019@#\/%?=()~_|!:,.;]*[\-A-Z0-9+\u0026@#\/%=~()_|])/gi, "$1$2"); - }, - sanitizeMessage: function (message) { - var element = document.createElement('span'); - element.innerText = message; - return element.innerHTML.trim().replace(/\n/g, '
'); - }, render: function() { var contact = this.model.getContact(); this.$el.html( Mustache.render(this.template, { - message: this.sanitizeMessage(this.model.get('body')), + message: this.model.get('body'), timestamp: moment(this.model.get('sent_at')).fromNow(), sender: (contact && contact.getTitle()) || '', avatar: (contact && contact.getAvatar()) @@ -74,7 +66,8 @@ twemoji.parse(this.el, { base: '/images/twemoji/', size: 16 }); var content = this.$('.content'); - content.html(this.autoLink(content.html())); + var escaped = content.html(); + content.html(escaped.replace(/\n/g, '
').replace(/(^|[\s\n]|)((?:https?|ftp):\/\/[\-A-Z0-9+\u0026\u2019@#\/%?=()~_|!:,.;]*[\-A-Z0-9+\u0026@#\/%=~()_|])/gi, "$1$2")); this.renderDelivered(); this.renderPending();