id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
685,Patch to make javascript safe (not execute) in Xinha,mharrisonline,gogo,"In htmlarea.js, just below the line that says:

{{{
  // external stylesheets to load (REFERENCE THESE ABSOLUTELY)
  this.pageStyleSheets = [""this.css""];
}}}

add:

{{{
  // external js file to link content to (REFERENCE THIS ABSOLUTELY)
  // example:   utilityjs = ""flashobject.js"";
  utilityjs = """";
}}}

Replace:


{{{
  // Set up event listeners for saving the iframe content to the textarea
  if (textarea.form)
  {
    // onsubmit get the HTMLArea content and update original textarea.
    HTMLArea.prependDom0Event
    (
      this._textArea.form,
      'submit',
      function() {editor._textArea.value = editor.outwardHtml(editor.getHTML()); return true;}
    );
}}}

with:

{{{
  // Set up event listeners for saving the iframe content to the textarea
  if (textarea.form)
  {
    // onsubmit get the HTMLArea content and update original textarea.
    HTMLArea.prependDom0Event
    (
      this._textArea.form,
      'submit',
      function() {editor._textArea.value = editor.outwardHtml(editor.getHTML()).replace(/freezescript/ig, ""javascript""); return true;}
    );
}}}

Replace:

{{{
      html += ""</head>\n"";
      html += ""<body>\n"";
      html +=   editor.inwardHtml(editor._textArea.value);
      html += ""</body>\n"";
      html += ""</html>"";
    } else {
      var html = editor.inwardHtml(editor._textArea.value);
      if (html.match(HTMLArea.RE_doctype)) {
        editor.setDoctype(RegExp.$1);
        html = html.replace(HTMLArea.RE_doctype, """");
      }
    }
    doc.write(html);
    doc.close();
}}}

with:


{{{
      html += ""</head>\n"";
      html += ""<body>\n"";
      html +=   editor.inwardHtml(editor._textArea.value);
      html += ""</body>\n"";
      html += ""</html>"";
    } else {
      var html = editor.inwardHtml(editor._textArea.value);
	  if(utilityjs){
	  html = ""<script type=\""text/javascript\"" src=\""""+utilityjs+""\""></script>\n"" + html;
	  }
	  html = html.replace(/<script>/ig, ""<script type=\""text/freezescript\"">"");
	  html = html.replace(/javascript/ig, ""freezescript"");
      if (html.match(HTMLArea.RE_doctype)) {
        editor.setDoctype(RegExp.$1);
        html = html.replace(HTMLArea.RE_doctype, """");
      }
    }
    doc.write(html);
    doc.close();
}}}

This provides the config option of creating a link to an external js file such as flashobject.js, and also allows javascript document.writes to be in the content without executing.

Please add this capability to core Xinha so the Flash plugin can be used by any Xinha user.",defect,closed,normal,2.0,Xinha Core,,normal,fixed,javascript execute write freezescript,