From 81028fceacccd186b39d216594052a5e572d15c6 Mon Sep 17 00:00:00 2001
From: Berkeley Martinez <Berkeley@robotie.com>
Date: Thu, 3 Dec 2015 14:07:39 -0800
Subject: [PATCH] Add ability to disable user code on page load

Adding `run=disabled` to the uri will disable the
page from running user code.

This is useful for pages that have frozen to to infinite loops
or untrusted links that may be malicious
---
 client/commonFramework/code-uri.js       | 44 +++++++++++++++++-------
 client/commonFramework/update-preview.js |  2 +-
 2 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/client/commonFramework/code-uri.js b/client/commonFramework/code-uri.js
index a0694b892b..bbb84239b2 100644
--- a/client/commonFramework/code-uri.js
+++ b/client/commonFramework/code-uri.js
@@ -42,6 +42,8 @@ window.common = (function(global) {
       return decoded
         .split('?')
         .splice(1)
+        .pop()
+        .split('&')
         .reduce(function(found, param) {
           var key = param.split('=')[0];
           if (key === 'solution') {
@@ -55,6 +57,23 @@ window.common = (function(global) {
         codeUri.isInQuery(location.search) ||
         codeUri.isInQuery(location.hash);
     },
+    getKeyInQuery(query, keyToFind = '') {
+      return query
+        .split('&')
+        .reduce(function(oldValue, param) {
+          var key = param.split('=')[0];
+          var value = param.split('=')[1];
+          if (key === keyToFind) {
+            return value;
+          }
+          return oldValue;
+        }, null);
+    },
+    getSolutionFromQuery(query = '') {
+      return decodeFcc(
+        codeUri.decode(codeUri.getKeyInQuery(query, 'solution'))
+      );
+    },
     parse: function() {
       if (!codeUri.enabled) {
         return null;
@@ -62,6 +81,7 @@ window.common = (function(global) {
       var query;
       if (location.search && codeUri.isInQuery(location.search)) {
         query = location.search.replace(/^\?/, '');
+
         if (history && typeof history.replaceState === 'function') {
           history.replaceState(
             history.state,
@@ -73,20 +93,12 @@ window.common = (function(global) {
       } else {
         query = location.hash.replace(/^\#\?/, '');
       }
+
       if (!query) {
         return null;
       }
 
-      return query
-        .split('&')
-        .reduce(function(solution, param) {
-          var key = param.split('=')[0];
-          var value = param.split('=')[1];
-          if (key === 'solution') {
-            return decodeFcc(codeUri.decode(value || ''));
-          }
-          return solution;
-        }, null);
+      return this.getSolutionFromQuery(query);
     },
     querify: function(solution) {
       if (!codeUri.enabled) {
@@ -96,7 +108,9 @@ window.common = (function(global) {
         history.replaceState(
           history.state,
           null,
-          '?solution=' + codeUri.encode(encodeFcc(solution))
+          '#?solution=' +
+            codeUri.encode(encodeFcc(solution)) +
+            (codeUri.shouldRun() ? '&run=disabled' : '' )
         );
       } else {
         location.hash = '?solution=' +
@@ -105,7 +119,13 @@ window.common = (function(global) {
 
       return solution;
     },
-    enabled: true
+    enabled: true,
+    shouldRun() {
+      return !this.getKeyInQuery(
+        (location.search || location.hash).replace(/^(\?|#\?)/, ''),
+        'run'
+      );
+    }
   };
 
   common.init.push(function() {
diff --git a/client/commonFramework/update-preview.js b/client/commonFramework/update-preview.js
index 0f483a6a9c..9ba986d6a0 100644
--- a/client/commonFramework/update-preview.js
+++ b/client/commonFramework/update-preview.js
@@ -74,7 +74,7 @@ window.common = (function(global) {
         preview.write(
           libraryIncludes +
           jQuery +
-          code +
+          (common.codeUri.shouldRun() ? code : '' ) +
           '<!-- -->' +
           iframeScript
         );