// This .js file prevents users from entering HTML text into text/textarea input form elements.
// If the user has JavaScript disabled, then the server will catch and log an exception instead.
//
// NOTE: If you wish to allow HTML input into a particular text element, then add the class 'allowHtmlInput'
// to the element and it will be skipped during HTML input detection. You will need to 
// add ValidateRequest="false" on the Page directive as well to prevent the server exception.

var fieldsCheckedForHtml = null;

function pageLoad() {
    Sys.WebForms.PageRequestManager.getInstance().add_initializeRequest(cancelPartialPostBackOnInvalidHtml);

    // Not sure why jQuery is not loaded yet on the default.aspx page but
    // this is a temporty stop gap solution.
    if (typeof jQuery == 'undefined') {
        return;
    }   

    // Stops postbacks if any text fields contain HTML.
    $('form').submit(function(e) {
        // The conditional logic around the 'fieldsCheckedForHtml' variable is a side-effect/work-around for
        // dealing with Mozilla and IE calling this method and the cancelPartialPostBackOnInvalidHtml
        // in different orders
        if (fieldsCheckedForHtml == null) {
            fieldsCheckedForHtml = checkFieldsForHtml();
        }

        if (!fieldsCheckedForHtml) {
            if (typeof e == 'undefined') {
                e = window.event;
            }

            var prm = Sys.WebForms.PageRequestManager.getInstance();
            if (prm && prm.get_isInAsyncPostBack()) {
                prm.abortPostBack();
            }

            // stop postbacks from Mozilla/IE
            if (e && typeof e.preventDefault != 'undefined') {
                e.preventDefault();
            }

            if (e && typeof e.stopPropagation != 'undefined') {
                e.stopPropagation();
            }

            e.returnValue = false;
            fieldsCheckedForHtml = null;
            return false;
        }

        if (fieldsCheckedForHtml) {
            fieldsCheckedForHtml = null;
            return true;
        }
        else {
            fieldsCheckedForHtml = null;
            return false;
        }
    });
}

// Stops partial postbacks (UpdatePanels) if any text fields contain HTML.
function cancelPartialPostBackOnInvalidHtml(sender, args) {
    if (fieldsCheckedForHtml == null) {
        fieldsCheckedForHtml = checkFieldsForHtml();
        args.set_cancel(!fieldsCheckedForHtml);
    }
}

// Check all text fields for possible unescaped HTML.
// Returns true if all fields have valid non-HTML input and false if HTML text input was detected.
// Expensive to run on big forms so we shouldn't run this more than once on any given postback.
function checkFieldsForHtml() {
    // Not sure why jQuery is not loaded yet on the default.aspx page but
    // this is a temporty stop gap solution.
    if (typeof jQuery == 'undefined') {
        return true;
    }

    $(':text,textarea').each(function() {
        if (!$(this).hasClass('allowHtmlInput') && this.value && this.value.match(/(\<)|(\>)/)) {
            MessagePanel.add_message('htmlInTextError', 'HTML symbols (&lt; or &gt;) are not allowed in text fields.',
                NCI.MessagePanelType.Error);
            return false;
        }
    });

    return true;
}
if(typeof(Sys)!=='undefined')Sys.Application.notifyScriptLoaded();