Permalink
Browse files

Add absolute path and href sanitizer options

  • Loading branch information...
1 parent 52d9021 commit b2803828291643fba570b81089022dad96538906 @mixonic committed May 22, 2012
Showing with 70 additions and 4 deletions.
  1. +26 −1 src/dom/parse.js
  2. +44 −3 test/dom/parse_test.js
View
27 src/dom/parse.js
@@ -369,6 +369,31 @@ wysihtml5.dom.parse = (function() {
});
};
})(),
+
+ absolute_path: (function() {
+ var REG_EXP = /^\/[\/a-z0-9%?.]*$/i;
+ return function(attributeValue) {
+ if (!attributeValue || !attributeValue.match(REG_EXP)) {
+ return null;
+ }
+ return attributeValue.replace(REG_EXP, function(match) {
+ return match.toLowerCase();
+ });
+ };
+ })(),
+
+ href: (function() {
+ var HTTP_REG_EXP = /^https?:\/\//i;
+ var APATH_REG_EXP = /^\/[\/a-z0-9%?.]*$/i;
+ return function(attributeValue) {
+ if (!attributeValue || (!attributeValue.match(HTTP_REG_EXP) && !attributeValue.match(APATH_REG_EXP))) {
+ return null;
+ }
+ return attributeValue.replace(HTTP_REG_EXP, function(match) {
+ return match.toLowerCase();
+ });
+ };
+ })(),
alt: (function() {
var REG_EXP = /[^ a-z0-9_\-]/gi;
@@ -444,4 +469,4 @@ wysihtml5.dom.parse = (function() {
};
return parse;
-})();
+})();
View
47 test/dom/parse_test.js
@@ -98,17 +98,58 @@ if (wysihtml5.browser.supported()) {
'<h1 id="main-headline" >take this you snorty little sanitizer</h1>' +
'<h2>yes, you!</h2>' +
'<h3>i\'m old and ready to die</h3>' +
- '<div><video src="pr0n.avi">foobar</video><img src="http://foo.gif" height="10" width="10"></div>' +
+ '<div><video src="pr0n.avi">foobar</video><img src="http://foo.gif" height="10" width="10"><img src="/foo.gif"></div>' +
'<div><a href="http://www.google.de"></a></div>',
rules
),
'<h2>take this you snorty little sanitizer</h2>' +
'<h2>yes, you!</h2>' +
- '<span><img alt="foo" border="1" src="http://foo.gif" height="10" width="10"></span>' +
+ '<span><img alt="foo" border="1" src="http://foo.gif" height="10" width="10"><img alt="foo" border="1"></span>' +
'<span><i title=""></i></span>'
);
});
+ test("Attribute check of absolute_path cleans up", function() {
+ var rules = {
+ tags: {
+ img: {
+ check_attributes: { src: "absolute_path" }
+ }
+ }
+ };
+
+ this.equal(
+ this.sanitize(
+ '<img src="http://url.gif">' +
+ '<img src="/path/to/absolute%20href.gif">' +
+ '<img src="mango time">',
+ rules
+ ),
+ '<img><img src="/path/to/absolute%20href.gif"><img>'
+ );
+ });
+
+ test("Attribute check of href cleans up", function() {
+ var rules = {
+ tags: {
+ img: {
+ check_attributes: { src: "href" }
+ }
+ }
+ };
+
+ this.equal(
+ this.sanitize(
+ '<img src="HTTP://url.gif">' +
+ '<img src="/path/to/absolute%20href.gif">' +
+ '<img src="mango time">',
+ rules
+ ),
+ '<img src="http://url.gif">' +
+ '<img src="/path/to/absolute%20href.gif">' +
+ '<img>'
+ );
+ });
test("Bug in IE8 where invalid html causes duplicated content", function() {
var rules = {
@@ -502,4 +543,4 @@ if (wysihtml5.browser.supported()) {
this.sanitize('<a href="http://google.com/~foo"></a>', rules).indexOf("~") !== -1
);
});
-}
+}

0 comments on commit b280382

Please sign in to comment.