From 334475a50bcc97a8c326aadff0dcbb61fad40a4f Mon Sep 17 00:00:00 2001
From: Till Krüss <me@tillkruess.com>
Date: Mon, 10 Feb 2014 11:02:06 -0500
Subject: [PATCH] prevent unwanted code execution via CURLOPT_POSTFIELDS

---
 program/js/tiny_mce/plugins/autolink/editor_plugin_src.js |   32 ++++++++++++++++++++++----------
 1 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/program/js/tiny_mce/plugins/autolink/editor_plugin_src.js b/program/js/tiny_mce/plugins/autolink/editor_plugin_src.js
index 604da8b..c05fbbc 100644
--- a/program/js/tiny_mce/plugins/autolink/editor_plugin_src.js
+++ b/program/js/tiny_mce/plugins/autolink/editor_plugin_src.js
@@ -22,15 +22,15 @@
 	init : function(ed, url) {
 		var t = this;
 
-		// Internet Explorer has built-in automatic linking
-		if (tinyMCE.isIE)
-			return;
-
 		// Add a key down handler
-		ed.onKeyDown.add(function(ed, e) {
+		ed.onKeyDown.addToTop(function(ed, e) {
 			if (e.keyCode == 13)
 				return t.handleEnter(ed);
-			});
+		});
+
+		// Internet Explorer has built-in automatic linking for most cases
+		if (tinyMCE.isIE)
+			return;
 
 		ed.onKeyPress.add(function(ed, e) {
 			if (e.which == 41)
@@ -61,7 +61,7 @@
 
 			// We need at least five characters to form a URL,
 			// hence, at minimum, five characters from the beginning of the line.
-			r = ed.selection.getRng().cloneRange();
+			r = ed.selection.getRng(true).cloneRange();
 			if (r.startOffset < 5) {
 				// During testing, the caret is placed inbetween two text nodes. 
 				// The previous text node contains the URL.
@@ -89,8 +89,11 @@
 					while (endContainer.nodeType != 3 && endContainer.firstChild)
 						endContainer = endContainer.firstChild;
 
-					r.setStart(endContainer, 0);
-					r.setEnd(endContainer, endContainer.nodeValue.length);
+					// Move range to text node
+					if (endContainer.nodeType == 3) {
+						r.setStart(endContainer, 0);
+						r.setEnd(endContainer, endContainer.nodeValue.length);
+					}
 				}
 
 				if (r.endOffset == 1)
@@ -124,12 +127,20 @@
 				r.setEnd(endContainer, start);
 			}
 
+			// Exclude last . from word like "www.site.com."
+			var text = r.toString();
+			if (text.charAt(text.length - 1) == '.') {
+				r.setEnd(endContainer, start - 1);
+			}
+
 			text = r.toString();
-			matches = text.match(/^(https?:\/\/|ssh:\/\/|ftp:\/\/|file:\/|www\.)(.+)$/i);
+			matches = text.match(/^(https?:\/\/|ssh:\/\/|ftp:\/\/|file:\/|www\.|(?:mailto:)?[A-Z0-9._%+-]+@)(.+)$/i);
 
 			if (matches) {
 				if (matches[1] == 'www.') {
 					matches[1] = 'http://www.';
+				} else if (/@$/.test(matches[1]) && !/^mailto:/.test(matches[1])) {
+					matches[1] = 'mailto:' + matches[1];
 				}
 
 				bookmark = ed.selection.getBookmark();
@@ -137,6 +148,7 @@
 				ed.selection.setRng(r);
 				tinyMCE.execCommand('createlink',false, matches[1] + matches[2]);
 				ed.selection.moveToBookmark(bookmark);
+				ed.nodeChanged();
 
 				// TODO: Determine if this is still needed.
 				if (tinyMCE.isWebKit) {

--
Gitblit v1.9.1