maxvyaznikov/gist:e282764465f1fead480a

## gistfile1.txt
# Make html safe for imapseagull-storage-mongo.
# Use post_parse_handlers setting to add

var sanitizer = require('sanitizer');  # https://github.com/theSmaw/Caja-HTML-Sanitizer

var _tagPolicy = sanitizer.makeTagPolicy(),
    _hrefScript = ['javascript:', 'vbscript:'],
    _tags = ['img', 'a'], _attrs = ['src', 'href'];  # Sanitizer erased all, so it's for exception
function sanitizationTagPolicy(storage, mail, tagName, attribs) {
    if (_tags.indexOf(tagName) >= 0 && attribs.length) {
        var a, a_name, i;
        for (i = 0; i < attribs.length; i += 2) {
            if (_attrs.indexOf(attribs[i]) >= 0) {
                a_name = attribs[i];
                a = attribs[i + 1];
                break;
            }
        }

        if (a) {
            u = url.parse(a);
            var value = '';
            if (tagName == 'img' && a_name == 'src' && u.protocol == 'cid:') { // Attachment is inside of html
                var attachment;
                for (i = 0; attachment = mail.attached_files[i]; ++i) {
                    if (attachment.cid.indexOf(u.host) >= 0) {
                        value = storage._cfg.attachment_download_url(attachment);
                        break
                    }
                }
            } else if (u && _hrefScript.indexOf(u.protocol) < 0) {
                // TODO: download online-links and embed as attachments
                value = url.format(u);
            }
            if (value != '') {
                var attrs = sanitizer.sanitizeAttribs(tagName, attribs);
                attrs.push(a_name);
                attrs.push(value);
                return { attribs: attrs }
            }
        }
    }

    return _tagPolicy.call(this, tagName, attribs);
}

/**
 * @param storage
 * @param mail (object) results of MongoDecorator.prototype.parse_raw_msg
 * @param callback
 */
function make_html_safe(storage, mail, callback) {
    mail.html_safe = (mail.html || '');
    mail.html_safe = sanitizer.sanitizeWithPolicy(mail.html_safe, async.apply(sanitizationTagPolicy, storage, mail));
    callback();
}
	# Make html safe for imapseagull-storage-mongo.
	# Use post_parse_handlers setting to add

	var sanitizer = require('sanitizer'); # https://github.com/theSmaw/Caja-HTML-Sanitizer

	var _tagPolicy = sanitizer.makeTagPolicy(),
	_hrefScript = ['javascript:', 'vbscript:'],
	_tags = ['img', 'a'], _attrs = ['src', 'href']; # Sanitizer erased all, so it's for exception
	function sanitizationTagPolicy(storage, mail, tagName, attribs) {
	if (_tags.indexOf(tagName) >= 0 && attribs.length) {
	var a, a_name, i;
	for (i = 0; i < attribs.length; i += 2) {
	if (_attrs.indexOf(attribs[i]) >= 0) {
	a_name = attribs[i];
	a = attribs[i + 1];
	break;
	}
	}

	if (a) {
	u = url.parse(a);
	var value = '';
	if (tagName == 'img' && a_name == 'src' && u.protocol == 'cid:') { // Attachment is inside of html
	var attachment;
	for (i = 0; attachment = mail.attached_files[i]; ++i) {
	if (attachment.cid.indexOf(u.host) >= 0) {
	value = storage._cfg.attachment_download_url(attachment);
	break
	}
	}
	} else if (u && _hrefScript.indexOf(u.protocol) < 0) {
	// TODO: download online-links and embed as attachments
	value = url.format(u);
	}
	if (value != '') {
	var attrs = sanitizer.sanitizeAttribs(tagName, attribs);
	attrs.push(a_name);
	attrs.push(value);
	return { attribs: attrs }
	}
	}
	}

	return _tagPolicy.call(this, tagName, attribs);
	}

	/**
	* @param storage
	* @param mail (object) results of MongoDecorator.prototype.parse_raw_msg
	* @param callback
	*/
	function make_html_safe(storage, mail, callback) {
	mail.html_safe = (mail.html \|\| '');
	mail.html_safe = sanitizer.sanitizeWithPolicy(mail.html_safe, async.apply(sanitizationTagPolicy, storage, mail));
	callback();
	}