Fix(textAngularSetup): We now block javascript for 'insertLink', 'insertVideo', and 'insertImage' issue: #1189

JoelParke · JoelParke · commit 37e3f7acdb70 · 2016-07-25T17:29:09.000-06:00
diff --git a/src/textAngularSetup.js b/src/textAngularSetup.js
@@ -723,6 +723,13 @@ angular.module('textAngularSetup', [])
 		}
 	});
 
+	/* istanbul ignore next: if it's javascript don't worry - though probably should show some kind of error message */
+	var blockJavascript = function (link) {
+		if (link.toLowerCase().indexOf('javascript')!==-1) {
+			return true;
+		}
+		return false;
+	};
 
 	taRegisterTool('insertImage', {
 		iconclass: 'fa fa-picture-o',
@@ -732,22 +739,25 @@ angular.module('textAngularSetup', [])
 			imageLink = $window.prompt(taTranslations.insertImage.dialogPrompt, 'http://');
 			if(imageLink && imageLink !== '' && imageLink !== 'http://'){
 				/* istanbul ignore next: don't know how to test this... since it needs a dialogPrompt */
-				if (taSelection.getSelectionElement().tagName.toLowerCase() === 'a') {
-					// due to differences in implementation between FireFox and Chrome, we must move the
-					// insertion point past the <a> element, otherwise FireFox inserts inside the <a>
-					// With this change, both FireFox and Chrome behave the same way!
-					taSelection.setSelectionAfterElement(taSelection.getSelectionElement());
+				// block javascript here
+				if (!blockJavascript(imageLink)) {
+					if (taSelection.getSelectionElement().tagName.toLowerCase() === 'a') {
+						// due to differences in implementation between FireFox and Chrome, we must move the
+						// insertion point past the <a> element, otherwise FireFox inserts inside the <a>
+						// With this change, both FireFox and Chrome behave the same way!
+						taSelection.setSelectionAfterElement(taSelection.getSelectionElement());
+					}
+					// In the past we used the simple statement:
+					//return this.$editor().wrapSelection('insertImage', imageLink, true);
+					//
+					// However on Firefox only, when the content is empty this is a problem
+					// See Issue #1201
+					// Investigation reveals that Firefox only inserts a <p> only!!!!
+					// So now we use insertHTML here and all is fine.
+					// NOTE: this is what 'insertImage' is supposed to do anyway!
+					var embed = '<img src="' + imageLink + '">';
+					return this.$editor().wrapSelection('insertHTML', embed, true);
 				}
-				// In the past we used the simple statement:
-				//return this.$editor().wrapSelection('insertImage', imageLink, true);
-				//
-				// However on Firefox only, when the content is empty this is a problem
-				// See Issue #1201
-				// Investigation reveals that Firefox only inserts a <p> only!!!!
-				// So now we use insertHTML here and all is fine.
-				// NOTE: this is what 'insertImage' is supposed to do anyway!
-				var embed = '<img src="' + imageLink + '">';
-				return this.$editor().wrapSelection('insertHTML', embed, true);
 			}
 		},
 		onElementSelect: {
@@ -761,27 +771,32 @@ angular.module('textAngularSetup', [])
 		action: function(){
 			var urlPrompt;
 			urlPrompt = $window.prompt(taTranslations.insertVideo.dialogPrompt, 'https://');
-			if (urlPrompt && urlPrompt !== '' && urlPrompt !== 'https://') {
+			// block javascript here
+			/* istanbul ignore else: if it's javascript don't worry - though probably should show some kind of error message */
+			if (!blockJavascript(urlPrompt)) {
 
-				videoId = taToolFunctions.extractYoutubeVideoId(urlPrompt);
+				if (urlPrompt && urlPrompt !== '' && urlPrompt !== 'https://') {
 
-				/* istanbul ignore else: if it's invalid don't worry - though probably should show some kind of error message */
-				if(videoId){
-					// create the embed link
-					var urlLink = "https://www.youtube.com/embed/" + videoId;
-					// create the HTML
-					// for all options see: http://stackoverflow.com/questions/2068344/how-do-i-get-a-youtube-video-thumbnail-from-the-youtube-api
-					// maxresdefault.jpg seems to be undefined on some.
-					var embed = '<img class="ta-insert-video" src="https://img.youtube.com/vi/' + videoId + '/hqdefault.jpg" ta-insert-video="' + urlLink + '" contenteditable="false" allowfullscreen="true" frameborder="0" />';
-					/* istanbul ignore next: don't know how to test this... since it needs a dialogPrompt */
-					if (taSelection.getSelectionElement().tagName.toLowerCase() === 'a') {
-						// due to differences in implementation between FireFox and Chrome, we must move the
-						// insertion point past the <a> element, otherwise FireFox inserts inside the <a>
-						// With this change, both FireFox and Chrome behave the same way!
-						taSelection.setSelectionAfterElement(taSelection.getSelectionElement());
+					videoId = taToolFunctions.extractYoutubeVideoId(urlPrompt);
+
+					/* istanbul ignore else: if it's invalid don't worry - though probably should show some kind of error message */
+					if (videoId) {
+						// create the embed link
+						var urlLink = "https://www.youtube.com/embed/" + videoId;
+						// create the HTML
+						// for all options see: http://stackoverflow.com/questions/2068344/how-do-i-get-a-youtube-video-thumbnail-from-the-youtube-api
+						// maxresdefault.jpg seems to be undefined on some.
+						var embed = '<img class="ta-insert-video" src="https://img.youtube.com/vi/' + videoId + '/hqdefault.jpg" ta-insert-video="' + urlLink + '" contenteditable="false" allowfullscreen="true" frameborder="0" />';
+						/* istanbul ignore next: don't know how to test this... since it needs a dialogPrompt */
+						if (taSelection.getSelectionElement().tagName.toLowerCase() === 'a') {
+							// due to differences in implementation between FireFox and Chrome, we must move the
+							// insertion point past the <a> element, otherwise FireFox inserts inside the <a>
+							// With this change, both FireFox and Chrome behave the same way!
+							taSelection.setSelectionAfterElement(taSelection.getSelectionElement());
+						}
+						// insert
+						return this.$editor().wrapSelection('insertHTML', embed, true);
 					}
-					// insert
-					return this.$editor().wrapSelection('insertHTML', embed, true);
 				}
 			}
 		},
@@ -798,7 +813,11 @@ angular.module('textAngularSetup', [])
 			var urlLink;
 			urlLink = $window.prompt(taTranslations.insertLink.dialogPrompt, 'http://');
 			if(urlLink && urlLink !== '' && urlLink !== 'http://'){
-				return this.$editor().wrapSelection('createLink', urlLink, true);
+				// block javascript here
+				/* istanbul ignore else: if it's javascript don't worry - though probably should show some kind of error message */
+				if (!blockJavascript(urlLink)) {
+					return this.$editor().wrapSelection('createLink', urlLink, true);
+				}
 			}
 		},
 		activeState: function(commonElement){
