diff options
author | Felix Hammerl <fhammerl@thoughtworks.com> | 2016-02-24 10:13:25 +0100 |
---|---|---|
committer | Felix Hammerl <fhammerl@thoughtworks.com> | 2016-02-24 10:20:36 +0100 |
commit | 77ec41bb6f542077503106cacc1dbd28118c50b4 (patch) | |
tree | 7e59c1e5cdffd6146acb6504a9741d394af6a62f /web-ui/app/js/helpers/view_helper.js | |
parent | 6160633ab9a54238974af3cf498024ad98fc977e (diff) |
Issue #617: Sanitize received content
Sanitizes received HTML content with DOMPurify, making it safe
for displaying and templating. Sanitizes received plain text content
by encoding every single character as HTML entity.
Diffstat (limited to 'web-ui/app/js/helpers/view_helper.js')
-rw-r--r-- | web-ui/app/js/helpers/view_helper.js | 37 |
1 files changed, 4 insertions, 33 deletions
diff --git a/web-ui/app/js/helpers/view_helper.js b/web-ui/app/js/helpers/view_helper.js index e4e9277d..e8d517a5 100644 --- a/web-ui/app/js/helpers/view_helper.js +++ b/web-ui/app/js/helpers/view_helper.js @@ -17,12 +17,12 @@ define( [ 'helpers/contenttype', - 'lib/html_whitelister', 'views/i18n', 'quoted-printable/quoted-printable', - 'utf8/utf8' + 'utf8/utf8', + 'helpers/sanitizer' ], - function(contentType, htmlWhitelister, i18n, quotedPrintable, utf8) { + function(contentType, i18n, quotedPrintable, utf8, sanitizer) { 'use strict'; function formatStatusClasses(ss) { @@ -31,37 +31,8 @@ define( }).join(' '); } - function addParagraphsToPlainText(textPlainBody) { - return textPlainBody.replace(/^(.*?)$/mg, '$1<br/>'); - } - - function escapeHtmlTags(body) { - - var escapeIndex = { - '&': '&', - '<': '<', - '>': '>', - '"': '"', - '\'':''', - '/': '/' - }; - - return body.replace(/["'<>\/&]/g, function(char){ - return escapeIndex[char]; - }); - - } - - function escapeHtmlAndAddParagraphs(body) { - var escapedBody = escapeHtmlTags(body); - return addParagraphsToPlainText(escapedBody); - } - function formatMailBody(mail) { - var body = mail.htmlBody ? - htmlWhitelister.sanitize(mail.htmlBody, htmlWhitelister.tagPolicy) : - escapeHtmlAndAddParagraphs(mail.textPlainBody); - return $('<div>' + body + '</div>'); + return sanitizer.sanitize(mail); } function moveCaretToEnd(el) { |