sanitizer can skip over tags

corgibytes · May 25, 2010 · 332a272 · 332a272
1 parent ba57c7c
commit 332a272
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 5 deletions.
diff --git a/src/wysihat/element/sanitize_contents.js b/src/wysihat/element/sanitize_contents.js
@@ -18,25 +18,33 @@
     for (i = 0; i < length; i++) callback(nodes[i]);
   }
 
-  function sanitizeNode(node, tagsToRemove, tagsToAllow) {
+  function sanitizeNode(node, tagsToRemove, tagsToAllow, tagsToSkip) {
     var parentNode = node.parentNode;
 
     switch (node.nodeType) {
       case Node.ELEMENT_NODE:
         var tagName = node.tagName.toLowerCase();
 
-        if (tagName in tagsToAllow) {
+        if (tagsToSkip) {
+          var newNode = node.cloneNode(false);
+          withEachChildNodeOf(node, function(childNode) {
+            newNode.appendChild(childNode);
+            sanitizeNode(childNode, tagsToRemove, tagsToAllow, tagsToSkip);
+          });
+          parentNode.insertBefore(newNode, node);
+
+        } else if (tagName in tagsToAllow) {
           var newNode = cloneWithAllowedAttributes(node, tagsToAllow[tagName]);
           withEachChildNodeOf(node, function(childNode) {
             newNode.appendChild(childNode);
-            sanitizeNode(childNode, tagsToRemove, tagsToAllow);
+            sanitizeNode(childNode, tagsToRemove, tagsToAllow, tagsToSkip);
           });
           parentNode.insertBefore(newNode, node);
 
         } else if (!(tagName in tagsToRemove)) {
           withEachChildNodeOf(node, function(childNode) {
             parentNode.insertBefore(childNode, node);
-            sanitizeNode(childNode, tagsToRemove, tagsToAllow);
+            sanitizeNode(childNode, tagsToRemove, tagsToAllow, tagsToSkip);
           });
         }
 
@@ -61,8 +69,10 @@
         tagsToAllow[tagName] = allowedAttributes;
       });
 
+      var tagsToSkip = options.skip;
+
       withEachChildNodeOf(element, function(childNode) {
-        sanitizeNode(childNode, tagsToRemove, tagsToAllow);
+        sanitizeNode(childNode, tagsToRemove, tagsToAllow, tagsToSkip);
       });
 
       return element;

diff --git a/test/unit/sanitize_contents_test.js b/test/unit/sanitize_contents_test.js
@@ -72,5 +72,25 @@ new Test.Unit.Runner({
       "<img src=\"http://www.google.com/intl/en_all/images/logo.gif\">",
       sanitize("<img src=\"http://www.google.com/intl/en_all/images/logo.gif\">", {allow: "img[src], a[href]"})
     );
+
+    if (Prototype.Browser.Gecko) {
+      var element;
+
+      element = new Element("div").update('dirty <span _moz_dirty="" style="font-weight: bold;">formatting</span>.<br _moz_dirty="">').sanitizeContents({skip: "[_moz_dirty]"});
+      runner.assertEqual(
+        'dirty <span style="font-weight: bold;">formatting</span>.<br>',
+        element.innerHTML
+      );
+      // _moz_dirty flag doesn't show up in innerHTML
+      runner.assert(element.children[0].hasAttribute('_moz_dirty'));
+
+      element = new Element("div").update('clean and <span _moz_dirty="" style="font-weight: bold;">dirty</span>').sanitizeContents({skip: "[_moz_dirty]"})
+      runner.assertEqual(
+        'clean and <span style="font-weight: bold;">dirty</span>',
+        element.innerHTML
+      );
+      // _moz_dirty flag doesn't show up in innerHTML
+      runner.assert(element.children[0].hasAttribute('_moz_dirty'));
+    }
   }
 });