From f19efdb859a2305f7012f9ce80eb9e5cabb446dc Mon Sep 17 00:00:00 2001
From: Calvin Montgomery <calzoneman@gmail.com>
Date: Sat, 18 Aug 2018 13:14:37 -0700
Subject: [PATCH] Fix #762

---
 package.json        |  2 +-
 www/js/callbacks.js | 34 +++++++++++++++++++++-------------
 www/js/util.js      | 19 +++++++++++--------
 3 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/package.json b/package.json
index 6c5ed614..b0d73b02 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Calvin Montgomery",
   "name": "CyTube",
   "description": "Online media synchronizer and chat",
-  "version": "3.57.0",
+  "version": "3.57.1",
   "repository": {
     "url": "http://github.com/calzoneman/sync"
   },
diff --git a/www/js/callbacks.js b/www/js/callbacks.js
index 1d7b3b10..28fb7c9f 100644
--- a/www/js/callbacks.js
+++ b/www/js/callbacks.js
@@ -266,7 +266,14 @@ Callbacks = {
 
         if(opts.externaljs.trim() != "" && !USEROPTS.ignore_channeljs &&
            opts.externaljs !== CHANNEL.opts.externaljs) {
-            checkScriptAccess(opts.externaljs, "external", function (pref) {
+            var viewSource = document.createElement("a");
+            viewSource.className = "btn btn-danger";
+            viewSource.setAttribute("role", "button");
+            viewSource.setAttribute("target", "_blank");
+            viewSource.setAttribute("rel", "noopener noreferer");
+            viewSource.textContent = "View external script source";
+            viewSource.href = opts.externaljs;
+            checkScriptAccess(viewSource, "external", function (pref) {
                 if (pref === "ALLOW") {
                     $.getScript(opts.externaljs);
                 }
@@ -304,19 +311,20 @@ Callbacks = {
         $("#cs-jstext").val(data.js);
 
         if(data.js && !USEROPTS.ignore_channeljs) {
-            var src = data.js
-                .replace(/&/g, "&amp;")
-                .replace(/</g, "&lt;")
-                .replace(/>/g, "&gt;")
-                .replace(/\n/g, "<br>")
-                .replace(/\t/g, "    ")
-                .replace(/ /g, "&nbsp;");
-            src = encodeURIComponent(src);
+            var viewSource = document.createElement("button");
+            viewSource.className = "btn btn-danger";
+            viewSource.textContent = "View inline script source";
+            viewSource.onclick = function () {
+                var content = document.createElement("pre");
+                content.textContent = data.js;
+                modalAlert({
+                    title: "Inline JS",
+                    htmlContent: content.outerHTML,
+                    dismissText: "Close"
+                });
+            };
 
-            var viewsource = "data:text/html, <body style='font: 9pt monospace;" +
-                             "max-width:60rem;margin:0 auto;padding:4rem;'>" +
-                             src + "</body>";
-            checkScriptAccess(viewsource, "embedded", function (pref) {
+            checkScriptAccess(viewSource, "embedded", function (pref) {
                 if (pref === "ALLOW") {
                     $("<script/>").attr("type", "text/javascript")
                         .attr("id", "chanjs")
diff --git a/www/js/util.js b/www/js/util.js
index 2729e863..7eda39c0 100644
--- a/www/js/util.js
+++ b/www/js/util.js
@@ -2138,7 +2138,7 @@ function modalAlert(options) {
     var footer = $("<div/>").addClass("modal-footer");
     var okButton = $("<button/>").addClass("btn btn-primary")
             .attr({ "data-dismiss": "modal"})
-            .text("OK")
+            .text(options.dismissText || "OK")
             .appendTo(footer);
     footer.appendTo(modal.find(".modal-content"));
     modal.appendTo(document.body);
@@ -2783,7 +2783,7 @@ function initPm(user) {
     return pm;
 }
 
-function checkScriptAccess(source, type, cb) {
+function checkScriptAccess(viewSource, type, cb) {
     var pref = JSPREF[CHANNEL.name.toLowerCase() + "_" + type];
     if (pref === "ALLOW") {
         return cb("ALLOW");
@@ -2791,7 +2791,7 @@ function checkScriptAccess(source, type, cb) {
         var div = $("#chanjs-allow-prompt");
         if (div.length > 0) {
             setTimeout(function () {
-                checkScriptAccess(source, type, cb);
+                checkScriptAccess(viewSource, type, cb);
             }, 500);
             return;
         }
@@ -2805,11 +2805,14 @@ function checkScriptAccess(source, type, cb) {
             .attr("id", "chanjs-allow-prompt")
             .attr("style", "text-align: center")
             .appendTo(div);
-        form.append("<span>This channel has special features that require your permission to run.</span><br>");
-        $("<a/>").attr("href", source)
-            .attr("target", "_blank")
-            .text(type === "embedded" ? "view embedded script" : source)
-            .appendTo(form);
+        if (type === "embedded") {
+            form.append("<span>This channel has special features that require your permission to run.</span><br>");
+        } else {
+            form.append("<span>This channel has special features that require your permission to run.  This script is hosted on a third-party website and is not endorsed by the owners of the website hosting this channel.</span><br>");
+        }
+
+        $(viewSource).appendTo(form);
+
         form.append("<div id='chanjs-allow-prompt-buttons'>" +
                         "<button id='chanjs-allow' class='btn btn-xs btn-danger'>Allow</button>" +
                         "<button id='chanjs-deny' class='btn btn-xs btn-danger'>Deny</button>" +