fix serializing html with embed codes containing scripts

nleush · nleush · commit 7aa55ba3f28e · 2016-02-16T21:53:19.000+02:00
diff --git a/src/js/core.js b/src/js/core.js
@@ -136,6 +136,12 @@
 
             $data.find('.medium-insert-buttons').remove();
 
+            // Restore original embed code from embed wrapper attribute value.
+            $data.find('[data-embed-code]').each(function() {
+                var $this = $(this);
+                $this.html($this.attr('data-embed-code'));
+            });
+
             data[key].value = $data.html();
         });
 
diff --git a/src/js/embeds.js b/src/js/embeds.js
@@ -298,10 +298,25 @@
             success: function(data) {
                 var html = data && data.html;
 
-                if (data && !data.html && data.type === 'photo' && data.url) {
+                if (data && !html && data.type === 'photo' && data.url) {
                     html = '<img src="' + data.url + '" alt="">';
                 }
 
+                if (!html) {
+                    // Prevent render empty embed.
+                    $.proxy(that, 'convertBadEmbed', url)();
+                    return;
+                }
+
+                if (html && html.indexOf('</script>') > -1) {
+                    // Store embed code with <script> tag inside wrapper attribute value.
+                    // Make nice attribute value escaping using jQuery.
+                    var $div = $('<div>')
+                        .attr('data-embed-code', html)
+                        .html(html);
+                    html = $('<div>').append($div).html();
+                }
+
                 $.proxy(that, 'embed', html)();
             },
             error: function(jqXHR, textStatus, errorThrown) {
