ad_html_security_check_helper (private)

 ad_html_security_check_helper -allowed_tags allowed_tags \
    -allowed_attributes allowed_attributes \
    -allowed_protocols allowed_protocols html

Defined in packages/acs-tcl/tcl/text-html-procs.tcl

Helper proc for ad_html_security_check doing the hard work

Switches:
-allowed_tags
(required)
-allowed_attributes
(required)
-allowed_protocols
(required)
Parameters:
html
See Also:

Partial Call Graph (max 5 caller/called nodes):
%3 ad_html_security_check ad_html_security_check (public) ad_html_security_check_helper ad_html_security_check_helper ad_html_security_check->ad_html_security_check_helper ad_html_security_check_protocol ad_html_security_check_protocol (private) ad_html_security_check_helper->ad_html_security_check_protocol

Testcases:
No testcase defined.
Source code:
            # loop over all tags
            set parseListElements [ns_parsehtml -onlytags -- $html]
            foreach parseListElement $parseListElements {
                lassign [string tolower $parseListElement] tag dict

                if {[string range $tag 0 0] eq "/"} {
                    #
                    # Ignore closing tags
                    #
                    continue
                }
                if {$allowed_tags ne "*" && $tag ni $allowed_tags} {
                    #
                    # This tag is not allowed.
                    #
                    return [subst {For security reasons we only accept the submission of HTML
                        containing the following tags: [join $allowed_tags " "].
                        You have a '[string toupper $tag]' tag in there.
                    }]
                } else {
                    #
                    # Valid and allowed tag. Check attributes.
                    #
                    if { $allowed_attributes ne "*"} {
                        foreach attr_name [dict keys $dict] {
                            if {$attr_name ni $allowed_attributes} {
                                return "The attribute '$attr_name' is not allowed for $tag tags"
                            }
                            #
                            # Attribute is allowed. Check now protocols
                            #
                            if { $allowed_protocols ne "*" && $attr_name ne "style" } {
                                set r [ad_html_security_check_protocol  -attr_name $attr_name  -attr_value [dict get $dict $attr_name]  -allowed_protocols $allowed_protocols]
                                if {$r ne ""} {
                                    return $r
                                }
                            }
                        }
                    }
                }
            }
            return ""
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: