Changeset 620

Timestamp:

12/22/06 20:18:54 (6 years ago)

Author:

ray

Message:

Improve the handling of JavaScript? inside the editor (see #685)

Before this patch JavaScript? is kept in Mozilla, whereas in IE the contents of script nodes is lost while the tags remain

• changed HTMLArea.getHTMLWrapper to keep scripts intact or optionally strip the whole tag
  
• new config.stripScripts to control this
  
  • set to true by default to be consistent
    
• implemented freezescript solution proposed by mharrisonline to prevent scripts from being executed in the editor
  

Files:

• trunk/htmlarea.js (modified) (7 diffs)

trunk/htmlarea.js

@@ -363 +363 @@
   this.showLoading = false;
 
+  // set to false if you want to allow JavaScript in the content, otherwise <script> tags are stripped out
+  this.stripScripts = true;
+  
   // size of color picker cells
   this.colorPickerCellSize = '6px';
@@ -5140 +5143 @@
     html = html.replace(/<script[\s]*src[\s]*=[\s]*['"]chrome:\/\/.*?["']>[\s]*<\/script>/ig, '');
   }
+  //prevent execution of JavaScript (Ticket #685)
+  html = html.replace(/(<script[^>]*)(freezescript)/gi,"$1javascript");
 
   return html;
@@ -5161 +5166 @@
 
   html = this.inwardSpecialReplacements(html);
+
+  html = html.replace(/(<script[^>]*)(javascript)/gi,"$1freezescript");
 
   // For IE's sake, make any URLs that are semi-absolute (="/....") to be
@@ -5698 +5705 @@
 HTMLArea._blockTags = " body form textarea fieldset ul ol dl li div " +
 "p h1 h2 h3 h4 h5 h6 quote pre table thead " +
-"tbody tfoot tr td th iframe address blockquote";
+"tbody tfoot tr td th iframe address blockquote ";
 HTMLArea.isBlockElement = function(el)
 {
@@ -5800 +5807 @@
       var i;
       var root_tag = (root.nodeType == 1) ? root.tagName.toLowerCase() : '';
+      if ( ( root_tag == "script" || root_tag == "noscript" ) && editor.config.stripScripts )
+      {
+        break;
+      }
       if ( outputRoot )
       {
@@ -5821 +5832 @@
         }
         break;
-      } else if ( outputRoot )
+      }
+      else if ( outputRoot )
       {
         closed = (!(root.hasChildNodes() || HTMLArea.needsClosingTag(root)));
@@ -5924 +5936 @@
       }
       var containsBlock = false;
-      for ( i = root.firstChild; i; i = i.nextSibling )
-      {
-        if ( !containsBlock && i.nodeType == 1 && HTMLArea.isBlockElement(i) )
-        {
-          containsBlock = true;
-        }
-        html += HTMLArea.getHTMLWrapper(i, true, editor, indent + '  ');
-      }
-      if ( outputRoot && !closed )
-      {
-        html += (HTMLArea.is_ie && HTMLArea.isBlockElement(root) && containsBlock ? ('\n' + indent) : '') + "</" + root.tagName.toLowerCase() + ">";
+      if ( root_tag == "script" || root_tag == "noscript" )
+      {
+        if ( !editor.config.stripScripts )
+        {
+          var innerText = (HTMLArea.is_ie) ? "\n" + root.innerHTML.replace(/^[\n\r]*/,'').replace(/\s+$/,'') + '\n' + indent : root.firstChild.nodeValue;
+          html += innerText + '</'+root_tag+'>' + ((HTMLArea.is_ie) ? '\n' : '');
+        }
+      }
+      else
+      {
+        for ( i = root.firstChild; i; i = i.nextSibling )
+        {
+          if ( !containsBlock && i.nodeType == 1 && HTMLArea.isBlockElement(i) )
+          {
+            containsBlock = true;
+          }
+          html += HTMLArea.getHTMLWrapper(i, true, editor, indent + '  ');
+        }
+        if ( outputRoot && !closed )
+        {
+          html += (HTMLArea.is_ie && HTMLArea.isBlockElement(root) && containsBlock ? ('\n' + indent) : '') + "</" + root.tagName.toLowerCase() + ">";
+        }
       }
     break;