ad_html_security_check_protocol (private)

 ad_html_security_check_protocol [ -attr_name attr_name ] \
    [ -attr_value attr_value ] \
    [ -allowed_protocols allowed_protocols ]

Defined in packages/acs-tcl/tcl/text-html-procs.tcl

Check for allowed protocol in attribute value

Switches:
-attr_name
(optional)
-attr_value
(optional)
-allowed_protocols
(optional)

Partial Call Graph (max 5 caller/called nodes):
%3 ad_html_security_check_helper ad_html_security_check_helper (private) ad_html_security_check_protocol ad_html_security_check_protocol ad_html_security_check_helper->ad_html_security_check_protocol

Testcases:
No testcase defined.
Source code:
        if { [regexp {^\s*(([^\s:]+):\/\/|(data|javascript|blob):)} $attr_value match . p1 p2] } {
            set protocol [string tolower [expr {$p1 ne "" ? $p1 : $p2}]]
            if { $protocol ni $allowed_protocols } {
                return [subst {The allowed URLs can only use these protocols:
                    [join $allowed_protocols ", "].
                    You have a '$protocol' protocol in attribute '$attr_name' there.}]
            }
        }
        return ""
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: