// Modified showdown to only parse a few things function strip_tags(str, allowed_tags) { // Strips HTML and PHP tags from a string // // version: 1003.2411 // discuss at: http://phpjs.org/functions/strip_tags // + original by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // + improved by: Luke Godfrey // + input by: Pul // + bugfixed by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // + bugfixed by: Onno Marsman // + input by: Alex // + bugfixed by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // + input by: Marc Palau // + improved by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // + input by: Brett Zamir (http://brett-zamir.me) // + bugfixed by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // + bugfixed by: Eric Nagel // + input by: Bobby Drake // + bugfixed by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // + bugfixed by: Tomasz Wesolowski // * example 1: strip_tags('

Kevin

van Zonneveld', ''); // * returns 1: 'Kevin van Zonneveld' // * example 2: strip_tags('
Kevin van Zonneveld
', '
'); // * returns 2: '
Kevin van Zonneveld
' // * example 3: strip_tags("Kevin van Zonneveld", ""); // * returns 3: 'Kevin van Zonneveld' // * example 4: strip_tags('1 < 5 5 > 1'); // * returns 4: '1 < 5 5 > 1' var key = '', allowed = false; var matches = []; var allowed_array = []; var allowed_tag = ''; var i = 0; var k = ''; var html = ''; var replacer = function (search, replace, str) { return str.split(search).join(replace); }; // Build allowes tags associative array if (allowed_tags) { allowed_array = allowed_tags.match(/([a-zA-Z0-9]+)/gi); } str += ''; // Match tags matches = str.match(/(<\/?[\S][^>]*>)/gi); // Go through all HTML tags for (key in matches) { if (isNaN(key)) { // IE7 Hack continue; } // Save HTML tag html = matches[key].toString(); // Is tag not in allowed list? Remove from str! allowed = false; // Go through all allowed tags for (k in allowed_array) { // Init allowed_tag = allowed_array[k]; i = -1; if (i != 0) { i = html.toLowerCase().indexOf('<'+allowed_tag+'>');} if (i != 0) { i = html.toLowerCase().indexOf('<'+allowed_tag+' ');} if (i != 0) { i = html.toLowerCase().indexOf(' // and tags get encoded. // // Clear the global hashes. If we don't clear these, you get conflicts // from other articles when generating a page which contains more than // one article (e.g. an index page that shows the N most recent // articles): g_urls = new Array(); g_titles = new Array(); g_html_blocks = new Array(); // attacklab: Replace ~ with ~T // This lets us use tilde as an escape char to avoid md5 hashes // The choice of character is arbitray; anything that isn't // magic in Markdown will work. text = text.replace(/~/g,"~T"); // attacklab: Replace $ with ~D // RegExp interprets $ as a special character // when it's in a replacement string text = text.replace(/\$/g,"~D"); // Standardize line endings text = text.replace(/\r\n/g,"\n"); // DOS to Unix text = text.replace(/\r/g,"\n"); // Mac to Unix // Make sure text begins and ends with a couple of newlines: text = "\n\n" + text + "\n\n"; // Convert all tabs to spaces. text = _Detab(text); // Strip any lines consisting only of spaces and tabs. // This makes subsequent regexen easier to write, because we can // match consecutive blank lines with /\n+/ instead of something // contorted like /[ \t]*\n+/ . text = text.replace(/^[ \t]+$/mg,""); // Turn block-level HTML blocks into hash entries text = _HashHTMLBlocks(text); // Strip link definitions, store in hashes. text = _StripLinkDefinitions(text); text = _RunBlockGamut(text); text = _UnescapeSpecialChars(text); // attacklab: Restore dollar signs text = text.replace(/~D/g,"$$"); // attacklab: Restore tildes text = text.replace(/~T/g,"~"); return text; } var _StripLinkDefinitions = function(text) { // // Strips link definitions from text, stores the URLs and titles in // hash references. // // Link defs are in the form: ^[id]: url "optional title" /* var text = text.replace(/ ^[ ]{0,3}\[(.+)\]: // id = $1 attacklab: g_tab_width - 1 [ \t]* \n? // maybe *one* newline [ \t]* ? // url = $2 [ \t]* \n? // maybe one newline [ \t]* (?: (\n*) // any lines skipped = $3 attacklab: lookbehind removed ["(] (.+?) // title = $4 [")] [ \t]* )? // title is optional (?:\n+|$) /gm, function(){...}); */ var text = text.replace(/^[ ]{0,3}\[(.+)\]:[ \t]*\n?[ \t]*?[ \t]*\n?[ \t]*(?:(\n*)["(](.+?)[")][ \t]*)?(?:\n+|\Z)/gm, function (wholeMatch,m1,m2,m3,m4) { m1 = m1.toLowerCase(); g_urls[m1] = _EncodeAmpsAndAngles(m2); // Link IDs are case-insensitive if (m3) { // Oops, found blank lines, so it's not a title. // Put back the parenthetical statement we stole. return m3+m4; } else if (m4) { g_titles[m1] = m4.replace(/"/g,"""); } // Completely remove the definition from the text return ""; } ); return text; } var _HashHTMLBlocks = function(text) { // attacklab: Double up blank lines to reduce lookaround text = text.replace(/\n/g,"\n\n"); // Hashify HTML blocks: // We only want to do this for block-level HTML tags, such as headers, // lists, and tables. That's because we still want to wrap
s around // "paragraphs" that are wrapped in non-block-level tags, such as anchors, // phrase emphasis, and spans. The list of tags we're looking for is // hard-coded: var block_tags_a = "p|pre|table|dl|ol|ul|script|noscript|form|fieldset|iframe|math|ins|del" var block_tags_b = "p|pre|table|dl|ol|ul|script|noscript|form|fieldset|iframe|math" // First, look for nested blocks, e.g.: //
//
// tags for inner block must be indented. //
//
// // The outermost tags must start at the left margin for this to match, and // the inner nested divs must be indented. // We need to do this before the next, more liberal match, because the next // match will start at the first `
` and stop at the first `
`. // attacklab: This regex can be expensive when it fails. /* var text = text.replace(/ ( // save in $1 ^ // start of line (with /m) <($block_tags_a) // start tag = $2 \b // word break // attacklab: hack around khtml/pcre bug... [^\r]*?\n // any number of lines, minimally matching // the matching end tag [ \t]* // trailing spaces/tabs (?=\n+) // followed by a newline ) // attacklab: there are sentinel newlines at end of document /gm,function(){...}}; */ text = text.replace(/^(<(p|div|h[1-6]|blockquote|pre|table|dl|ol|ul|script|noscript|form|fieldset|iframe|math|ins|del)\b[^\r]*?\n<\/\2>[ \t]*(?=\n+))/gm,hashElement); // // Now match more liberally, simply from `\n` to `\n` // /* var text = text.replace(/ ( // save in $1 ^ // start of line (with /m) <($block_tags_b) // start tag = $2 \b // word break // attacklab: hack around khtml/pcre bug... [^\r]*? // any number of lines, minimally matching .* // the matching end tag [ \t]* // trailing spaces/tabs (?=\n+) // followed by a newline ) // attacklab: there are sentinel newlines at end of document /gm,function(){...}}; */ text = text.replace(/^(<(p|div|h[1-6]|blockquote|pre|table|dl|ol|ul|script|noscript|form|fieldset|iframe|math)\b[^\r]*?.*<\/\2>[ \t]*(?=\n+)\n)/gm,hashElement); // Special case just for
. It was easier to make a special case than // to make the other regex more complicated. /* text = text.replace(/ ( // save in $1 \n\n // Starting after a blank line [ ]{0,3} (<(hr) // start tag = $2 \b // word break ([^<>])*? // \/?>) // the matching end tag [ \t]* (?=\n{2,}) // followed by a blank line ) /g,hashElement); */ text = text.replace(/(\n[ ]{0,3}(<(hr)\b([^<>])*?\/?>)[ \t]*(?=\n{2,}))/g,hashElement); // Special case for standalone HTML comments: /* text = text.replace(/ ( // save in $1 \n\n // Starting after a blank line [ ]{0,3} // attacklab: g_tab_width - 1 [ \t]* (?=\n{2,}) // followed by a blank line ) /g,hashElement); */ text = text.replace(/(\n\n[ ]{0,3}[ \t]*(?=\n{2,}))/g,hashElement); // PHP and ASP-style processor instructions ( and <%...%>) /* text = text.replace(/ (?: \n\n // Starting after a blank line ) ( // save in $1 [ ]{0,3} // attacklab: g_tab_width - 1 (?: <([?%]) // $2 [^\r]*? \2> ) [ \t]* (?=\n{2,}) // followed by a blank line ) /g,hashElement); */ text = text.replace(/(?:\n\n)([ ]{0,3}(?:<([?%])[^\r]*?\2>)[ \t]*(?=\n{2,}))/g,hashElement); // attacklab: Undo double lines (see comment at top of this function) text = text.replace(/\n\n/g,"\n"); return text; } var hashElement = function(wholeMatch,m1) { var blockText = m1; // Undo double lines blockText = blockText.replace(/\n\n/g,"\n"); blockText = blockText.replace(/^\n/,""); // strip trailing blank lines blockText = blockText.replace(/\n+$/g,""); // Replace the element text with a marker ("~KxK" where x is its key) blockText = "\n\n~K" + (g_html_blocks.push(blockText)-1) + "K\n\n"; return blockText; }; var _RunBlockGamut = function(text) { text = _FormParagraphs(text); return text; } var _RunSpanGamut = function(text) { text = _EscapeSpecialCharsWithinTagAttributes(text); text = _EncodeBackslashEscapes(text); text = _DoAnchors(text); // Make links out of things like `` // Must come after _DoAnchors(), because you can use < and > // delimiters in inline links like [this](). text = _DoAutoLinks(text); text = _EncodeAmpsAndAngles(text); text = _DoItalicsAndBold(text); // Do hard breaks: text = text.replace(/ +\n/g,"
\n"); return text; } var _EscapeSpecialCharsWithinTagAttributes = function(text) { // // Within tags -- meaning between < and > -- encode [\ ` * _] so they // don't conflict with their use in Markdown for code, italics and strong. // // Build a regex to find HTML tags and comments. See Friedl's // "Mastering Regular Expressions", 2nd Ed., pp. 200-201. var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|)/gi; text = text.replace(regex, function(wholeMatch) { var tag = wholeMatch.replace(/(.)<\/?code>(?=.)/g,"$1`"); tag = escapeCharacters(tag,"\\`*_"); return tag; }); return text; } var _DoAnchors = function(text) { // // Turn Markdown link shortcuts into XHTML tags. // // // First, handle reference-style links: [link text] [id] // /* text = text.replace(/ ( // wrap whole match in $1 \[ ( (?: \[[^\]]*\] // allow brackets nested one level | [^\[] // or anything else )* ) \] [ ]? // one optional space (?:\n[ ]*)? // one optional newline followed by spaces \[ (.*?) // id = $3 \] )()()()() // pad remaining backreferences /g,_DoAnchors_callback); */ text = text.replace(/(\[((?:\[[^\]]*\]|[^\[\]])*)\][ ]?(?:\n[ ]*)?\[(.*?)\])()()()()/g,writeAnchorTag); // // Next, inline-style links: [link text](url "optional title") // /* text = text.replace(/ ( // wrap whole match in $1 \[ ( (?: \[[^\]]*\] // allow brackets nested one level | [^\[\]] // or anything else ) ) \] \( // literal paren [ \t]* () // no id, so leave $3 empty ? // href = $4 [ \t]* ( // $5 (['"]) // quote char = $6 (.*?) // Title = $7 \6 // matching quote [ \t]* // ignore any spaces/tabs between closing quote and ) )? // title is optional \) ) /g,writeAnchorTag); */ text = text.replace(/(\[((?:\[[^\]]*\]|[^\[\]])*)\]\([ \t]*()?[ \t]*((['"])(.*?)\6[ \t]*)?\))/g,writeAnchorTag); // // Last, handle reference-style shortcuts: [link text] // These must come last in case you've also got [link test][1] // or [link test](/foo) // /* text = text.replace(/ ( // wrap whole match in $1 \[ ([^\[\]]+) // link text = $2; can't contain '[' or ']' \] )()()()()() // pad rest of backreferences /g, writeAnchorTag); */ text = text.replace(/(\[([^\[\]]+)\])()()()()()/g, writeAnchorTag); return text; } var writeAnchorTag = function(wholeMatch,m1,m2,m3,m4,m5,m6,m7) { if (m7 == undefined) m7 = ""; var whole_match = m1; var link_text = m2; var link_id = m3.toLowerCase(); var url = m4; var title = m7; if (url == "") { if (link_id == "") { // lower-case and turn embedded newlines into spaces link_id = link_text.toLowerCase().replace(/ ?\n/g," "); } url = "#"+link_id; if (g_urls[link_id] != undefined) { url = g_urls[link_id]; if (g_titles[link_id] != undefined) { title = g_titles[link_id]; } } else { if (whole_match.search(/\(\s*\)$/m)>-1) { // Special case for explicit empty url url = ""; } else { return whole_match; } } } url = escapeCharacters(url,"*_"); var result = ""; return result; } var _DoItalicsAndBold = function(text) { // must go first: text = text.replace(/(\*\*|__)(?=\S)([^\r]*?\S[*_]*)\1/g, "$2"); text = text.replace(/(\*|_)(?=\S)([^\r]*?\S)\1/g, "$2"); return text; } var _FormParagraphs = function(text) { // // Params: // $text - string to process with html
tags // // Strip leading and trailing lines: text = text.replace(/^\n+/g,""); text = text.replace(/\n+$/g,""); var grafs = text.split(/\n{2,}/g); var grafsOut = new Array(); // // Wrap
tags. // var end = grafs.length; for (var i=0; i= 0) { grafsOut.push(str); } else if (str.search(/\S/) >= 0) { str = _RunSpanGamut(str); str = str.replace(/^([ \t]*)/g,"
"); str += "
" grafsOut.push(str); } } // // Unhashify HTML blocks // end = grafsOut.length; for (var i=0; i= 0) { var blockText = g_html_blocks[RegExp.$1]; blockText = blockText.replace(/\$/g,"$$$$"); // Escape any dollar signs grafsOut[i] = grafsOut[i].replace(/~K\d+K/,blockText); } } return grafsOut.join("\n\n"); } var _EncodeAmpsAndAngles = function(text) { // Smart processing for ampersands and angle brackets that need to be encoded. // Ampersand-encoding based entirely on Nat Irons's Amputator MT plugin: // http://bumppo.net/projects/amputator/ text = text.replace(/&(?!#?[xX]?(?:[0-9a-fA-F]+|\w+);)/g,"&"); // Encode naked <'s text = text.replace(/<(?![a-z\/?\$!])/gi,"<"); return text; } var _EncodeBackslashEscapes = function(text) { // // Parameter: String. // Returns: The string, with after processing the following backslash // escape sequences. // // attacklab: The polite way to do this is with the new // escapeCharacters() function: // // text = escapeCharacters(text,"\\",true); // text = escapeCharacters(text,"`*_{}[]()>#+-.!",true); // // ...but we're sidestepping its use of the (slow) RegExp constructor // as an optimization for Firefox. This function gets called a LOT. text = text.replace(/\\(\\)/g,escapeCharacters_callback); text = text.replace(/\\([`*_{}\[\]()>#+-.!])/g,escapeCharacters_callback); return text; } var _DoAutoLinks = function(text) { text = text.replace(/<((https?|ftp|dict):[^'">\s]+)>/gi,"$1"); // Email addresses: /* text = text.replace(/ < (?:mailto:)? ( [-.\w]+ \@ [-a-z0-9]+(\.[-a-z0-9]+)*\.[a-z]+ ) > /gi, _DoAutoLinks_callback()); */ text = text.replace(/<(?:mailto:)?([-.\w]+\@[-a-z0-9]+(\.[-a-z0-9]+)*\.[a-z]+)>/gi, function(wholeMatch,m1) { return _EncodeEmailAddress( _UnescapeSpecialChars(m1) ); } ); return text; } var _EncodeEmailAddress = function(addr) { // // Input: an email address, e.g. "foo@example.com" // // Output: the email address as a mailto link, with each character // of the address encoded as either a decimal or hex entity, in // the hopes of foiling most address harvesting spam bots. E.g.: // // foo // @example.com // // Based on a filter by Matthew Wickline, posted to the BBEdit-Talk // mailing list: // // attacklab: why can't javascript speak hex? function char2hex(ch) { var hexDigits = '0123456789ABCDEF'; var dec = ch.charCodeAt(0); return(hexDigits.charAt(dec>>4) + hexDigits.charAt(dec&15)); } var encode = [ function(ch){return "&#"+ch.charCodeAt(0)+";";}, function(ch){return "&#x"+char2hex(ch)+";";}, function(ch){return ch;} ]; addr = "mailto:" + addr; addr = addr.replace(/./g, function(ch) { if (ch == "@") { // this *must* be encoded. I insist. ch = encode[Math.floor(Math.random()*2)](ch); } else if (ch !=":") { // leave ':' alone (to spot mailto: later) var r = Math.random(); // roughly 10% raw, 45% hex, 45% dec ch = ( r > .9 ? encode[2](ch) : r > .45 ? encode[1](ch) : encode[0](ch) ); } return ch; }); addr = "" + addr + ""; addr = addr.replace(/">.+:/g,"\">"); // strip the mailto: from the visible part return addr; } var _UnescapeSpecialChars = function(text) { // // Swap back in all the special characters we've hidden. // text = text.replace(/~E(\d+)E/g, function(wholeMatch,m1) { var charCodeToReplace = parseInt(m1); return String.fromCharCode(charCodeToReplace); } ); return text; } var _Detab = function(text) { // attacklab: Detab's completely rewritten for speed. // In perl we could fix it by anchoring the regexp with \G. // In javascript we're less fortunate. // expand first n-1 tabs text = text.replace(/\t(?=\t)/g," "); // attacklab: g_tab_width // replace the nth with two sentinels text = text.replace(/\t/g,"~A~B"); // use the sentinel to anchor our regex so it doesn't explode text = text.replace(/~B(.+?)~A/g, function(wholeMatch,m1,m2) { var leadingText = m1; var numSpaces = 4 - leadingText.length % 4; // attacklab: g_tab_width // there *must* be a better way to do this: for (var i=0; i