From ed734bfdf376e6235584bba6688620c200aec75c Mon Sep 17 00:00:00 2001
From: Aurimas Vinckevicius <aurimas.dev@gmail.com>
Date: Tue, 19 May 2015 00:18:38 -0500
Subject: [PATCH] Merge 849803473a0386aacc86745466d56f0ff3463f48 into
 api_syncing Fixes #677

---
 .../xpcom/translation/translate_item.js       | 74 +++++++++++--------
 1 file changed, 42 insertions(+), 32 deletions(-)

diff --git a/chrome/content/zotero/xpcom/translation/translate_item.js b/chrome/content/zotero/xpcom/translation/translate_item.js
index e0e4c6f3e..9b57f2640 100644
--- a/chrome/content/zotero/xpcom/translation/translate_item.js
+++ b/chrome/content/zotero/xpcom/translation/translate_item.js
@@ -493,41 +493,51 @@ Zotero.Translate.ItemSaver.prototype = {
 			if(attachment.snapshot === false || !this._saveFiles) {
 				// if snapshot is explicitly set to false, attach as link
 				attachment.linkMode = "linked_url";
+				let url, mimeType;
 				if(attachment.document) {
-					yield Zotero.Attachments.linkFromURL({
-						url: attachment.document.location.href,
-						parentItemID: parentID,
-						contentType: attachment.mimeType ? attachment.mimeType : attachment.document.contentType,
-						title: title
-					})
-					.catch(function (e) {
-						Zotero.debug("Translate: Error adding attachment "+attachment.url, 2);
-						attachmentCallback(attachment, false, e);
-					});
-					
-					attachmentCallback(attachment, 100);
-					
-					return true;
+					url = attachment.document.location.href;
+					mimeType = attachment.mimeType ? attachment.mimeType : attachment.document.contentType;
 				} else {
-					if(!attachment.mimeType || !title) {
-						Zotero.debug("Translate: Either mimeType or title is missing; attaching file will be slower", 3);
-					}
-					
-					yield Zotero.Attachments.linkFromURL({
-						url: attachment.url,
-						parentItemID: parentID,
-						contentType: attachment.mimeType ? attachment.mimeType : undefined,
-						title: title
-					})
-					.catch(function (e) {
-						Zotero.debug("Translate: Error adding attachment "+attachment.url, 2);
-						attachmentCallback(attachment, false, e);
-					});
-					
-					attachmentCallback(attachment, 100);
-					
-					return true;
+					url = attachment.url
+					mimeType = attachment.mimeType ? attachment.mimeType : undefined;
 				}
+				
+				if(!mimeType || !title) {
+					Zotero.debug("Translate: Either mimeType or title is missing; attaching link to URL will be slower", 3);
+				}
+				
+				let cleanURI = Zotero.Attachments.cleanAttachmentURI(url);
+				if (!cleanURI) {
+					let e = "Translate: Invalid attachment URL specified <" + url + ">";
+					Zotero.debug(e, 2);
+					attachmentCallback(attachment, false, e);
+					return false;
+				}
+				url = Components.classes["@mozilla.org/network/io-service;1"]
+					.getService(Components.interfaces.nsIIOService)
+					.newURI(cleanURI, null, null); // This cannot fail, since we check above
+				
+				// Only HTTP/HTTPS links are allowed
+				if(url.scheme != "http" && url.scheme != "https") {
+					let e = "Translate: " + url.scheme + " protocol is not allowed for attachments from translators.";
+					Zotero.debug(e, 2);
+					attachmentCallback(attachment, false, e);
+					return false;
+				}
+				
+				yield Zotero.Attachments.linkFromURL({
+					url: cleanURI,
+					parentItemID: parentID,
+					contentType: mimeType,
+					title: title
+				})
+				.catch(function (e) {
+					Zotero.debug("Translate: Error adding attachment "+attachment.url, 2);
+					attachmentCallback(attachment, false, e);
+				});
+					
+				attachmentCallback(attachment, 100);
+				
 				return true;
 			} else {
 				// if snapshot is not explicitly set to false, retrieve snapshot