|
|
|
|
@ -179,8 +179,6 @@ define([
|
|
|
|
|
}).on('change', function (e) {
|
|
|
|
|
var files = Util.slice(e.target.files);
|
|
|
|
|
files.forEach(function (file) {
|
|
|
|
|
// XXX validate that the href is hosted on the same instance
|
|
|
|
|
// use relative URLs or compare it against a list or allowed domains?
|
|
|
|
|
var ev = {};
|
|
|
|
|
ev.callback = function (data) {
|
|
|
|
|
var x, a;
|
|
|
|
|
@ -321,10 +319,11 @@ define([
|
|
|
|
|
|
|
|
|
|
var attachments = (content.attachments || []).map(function (obj) {
|
|
|
|
|
if (!obj || !obj.name || !obj.href) { return; }
|
|
|
|
|
// only support files explicitly beginning with /file/ so that users can't link outside of the instance
|
|
|
|
|
if (!/^\/file\//.test(obj.href)) { return; }
|
|
|
|
|
var a = h('a', {
|
|
|
|
|
href: '#'
|
|
|
|
|
}, obj.name);
|
|
|
|
|
// XXX disallow remote URLs
|
|
|
|
|
$(a).click(function (e) {
|
|
|
|
|
e.preventDefault();
|
|
|
|
|
ctx.common.openURL(obj.href);
|
|
|
|
|
|
ansuz
4 years ago