Escape pasted text in compose area

Sanitizing text would cause some non-HTML text to disappear (see #86).
Instead, we escape HTML, so that it looks exactly like pasted.

The applyFilters helper function has been removed, it's unclear what it
does. Being explicit is better in this case.

src/directives/compose_area.ts

@@ -26,7 +26,6 @@ export default [
     '$translate',
     '$mdDialog',
     '$filter',
-    '$sanitize',
     '$log',
     function(browserService: threema.BrowserService,
              stringService: threema.StringService,
@@ -34,7 +33,6 @@ export default [
              $translate: ng.translate.ITranslateService,
              $mdDialog: ng.material.IDialogService,
              $filter: ng.IFilterService,
-             $sanitize: ng.sanitize.ISanitizeService,
              $log: ng.ILogService) {
         return {
             restrict: 'EA',
@@ -277,12 +275,6 @@ export default [
                     });
                 }
 
-                function applyFilters(text: string): string {
-                    const emojify = $filter('emojify') as (a: string, b?: boolean) => string;
-                    const parseNewLine = $filter('nlToBr') as (a: string, b?: boolean) => string;
-                    return parseNewLine(emojify(text, true), true);
-                }
-
                 // Handle pasting
                 function onPaste(ev: ClipboardEvent) {
                     ev.preventDefault();
@@ -346,17 +338,20 @@ export default [
                     } else if (textIdx !== null) {
                         const text = ev.clipboardData.getData('text/plain');
 
-                        // Apply filters (emojify, convert newline, etc)
-                        const formatted = applyFilters(text);
-
-                        // Replace HTML formatting with ASCII counterparts
+                        // Look up some filter functions
                         const htmlToAsciiMarkup = $filter('htmlToAsciiMarkup') as (a: string) => string;
+                        const escapeHtml = $filter('escapeHtml') as (a: string) => string;
+                        const emojify = $filter('emojify') as (a: string, b?: boolean) => string;
+                        const nlToBr = $filter('nlToBr') as (a: string, b?: boolean) => string;
+
+                        // Escape HTML markup
+                        const escaped = escapeHtml(htmlToAsciiMarkup(text));
 
-                        // Sanitize
-                        const sanitized = $sanitize(htmlToAsciiMarkup(formatted));
+                        // Apply filters (emojify, convert newline, etc)
+                        const formatted = nlToBr(emojify(escaped, true), true);
 
-                        // Insert HTML
-                        document.execCommand('insertHTML', false, sanitized);
+                        // Insert resulting HTML
+                        document.execCommand('insertHTML', false, formatted);
 
                         cleanupComposeContent();
                         updateView();
@@ -419,7 +414,7 @@ export default [
                 function onEmojiChosen(ev: MouseEvent): void {
                     ev.stopPropagation();
                     const emoji = this.textContent; // Unicode character
-                    const formatted = applyFilters(emoji);
+                    const formatted = ($filter('emojify') as any)(emoji, true);
 
                     // Firefox inserts a <br> after editing content editable fields.
                     // Remove the last <br> to fix this.

src/filters.ts

@@ -34,8 +34,7 @@ angular.module('3ema.filters', [])
         if (text === undefined || text === null) {
             text = '';
         }
-        const escaped = text.replace(/[&<>"']/g, (m) => map[m]);
-        return escaped;
+        return text.replace(/[&<>"']/g, (m) => map[m]);
     };
 })