From 8be8831adbf4b1429b2ef0ebf07d3100409690d3 Mon Sep 17 00:00:00 2001
From: Hannah Wolfe <erisds@gmail.com>
Date: Fri, 20 Feb 2015 15:44:02 +0000
Subject: [PATCH] Validate urls in modal

- Urls added via a model are stored in the DB and need to be validated

Credits: Abdel Adim Oisif
---
 core/client/components/gh-upload-modal.js | 40 ++++++++++++++++++-----
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/core/client/components/gh-upload-modal.js b/core/client/components/gh-upload-modal.js
index 4512c8b1be..d297c26e30 100644
--- a/core/client/components/gh-upload-modal.js
+++ b/core/client/components/gh-upload-modal.js
@@ -1,5 +1,6 @@
 import ModalDialog from 'ghost/components/gh-modal-dialog';
 import upload from 'ghost/assets/lib/uploader';
+import cajaSanitizers from 'ghost/utils/caja-sanitizers';
 
 var UploadModal = ModalDialog.extend({
     layoutName: 'components/gh-modal-dialog',
@@ -8,6 +9,16 @@ var UploadModal = ModalDialog.extend({
         this._super();
         upload.call(this.$('.js-drop-zone'), {fileStorage: this.get('config.fileStorage')});
     },
+    keyDown: function () {
+        this.setErrorState(false);
+    },
+    setErrorState: function (state) {
+        if (state) {
+            this.$('.js-upload-url').addClass('error');
+        } else {
+            this.$('.js-upload-url').removeClass('error');
+        }
+    },
     confirm: {
         reject: {
             func: function () { // The function called on rejection
@@ -18,15 +29,23 @@ var UploadModal = ModalDialog.extend({
         },
         accept: {
             buttonClass: 'btn btn-blue right',
-            text: 'Save', // The accept button texttext: 'Save'
+            text: 'Save', // The accept button text: 'Save'
             func: function () {
-                var imageType = 'model.' + this.get('imageType');
+                var imageType = 'model.' + this.get('imageType'),
+                    value;
 
                 if (this.$('.js-upload-url').val()) {
-                    this.set(imageType, this.$('.js-upload-url').val());
+                    value = this.$('.js-upload-url').val();
+
+                    if (!Ember.isEmpty(value) && !cajaSanitizers.url(value)) {
+                        this.setErrorState(true);
+                        return {message: 'Image URI is not valid'};
+                    }
                 } else {
-                    this.set(imageType, this.$('.js-upload-target').attr('src'));
+                    value = this.$('.js-upload-target').attr('src');
                 }
+
+                this.set(imageType, value);
                 return true;
             }
         }
@@ -37,12 +56,17 @@ var UploadModal = ModalDialog.extend({
             this.sendAction();
         },
         confirm: function (type) {
-            var func = this.get('confirm.' + type + '.func');
+            var result,
+                func = this.get('confirm.' + type + '.func');
+
             if (typeof func === 'function') {
-                func.apply(this);
+                result = func.apply(this);
+            }
+
+            if (!result.message) {
+                this.sendAction();
+                this.sendAction('confirm' + type);
             }
-            this.sendAction();
-            this.sendAction('confirm' + type);
         }
     }
 });