ad_html_security_check (public)

 ad_html_security_check [ -allowed_tags allowed_tags ] \
    [ -allowed_attributes allowed_attributes ] \
    [ -allowed_protocols allowed_protocols ] html

Defined in packages/acs-tcl/tcl/text-html-procs.tcl

Returns a human-readable explanation if the user has used any HTML tag other than the allowed ones. It uses for checking the provided values. If these values are not provided the function takes the union of the per-package instance value and the values from the "antispam" section of the kernel parameters.

Switches:
-allowed_tags (optional)
-allowed_attributes (optional)
-allowed_protocols (optional)
Parameters:
html (required)
The HTML text being validated.
Returns:
a human-readable, plaintext explanation of what's wrong with the user's input. If everything is ok, return an empty string.
Author:
Lars Pind <lars@pinds.com>
Created:
20 July 2000

Partial Call Graph (max 5 caller/called nodes):
%3 test_ad_html_security_check_forbidden_protolcols ad_html_security_check_forbidden_protolcols (test acs-tcl) ad_html_security_check ad_html_security_check test_ad_html_security_check_forbidden_protolcols->ad_html_security_check test_ad_html_security_check_forbidden_tags ad_html_security_check_forbidden_tags (test acs-tcl) test_ad_html_security_check_forbidden_tags->ad_html_security_check test_ad_html_security_check_href_allowed ad_html_security_check_href_allowed (test acs-tcl) test_ad_html_security_check_href_allowed->ad_html_security_check ad_html_security_check_helper ad_html_security_check_helper (private) ad_html_security_check->ad_html_security_check_helper parameter::get parameter::get (public) ad_html_security_check->parameter::get ad_page_contract_filter_proc_html ad_page_contract_filter_proc_html (public) ad_page_contract_filter_proc_html->ad_html_security_check packages/calendar/www/cal-item-new.tcl packages/calendar/ www/cal-item-new.tcl packages/calendar/www/cal-item-new.tcl->ad_html_security_check packages/news/www/preview.tcl packages/news/ www/preview.tcl packages/news/www/preview.tcl->ad_html_security_check template::data::validate::richtext template::data::validate::richtext (public) template::data::validate::richtext->ad_html_security_check template::data::validate::richtext_or_file template::data::validate::richtext_or_file (public) template::data::validate::richtext_or_file->ad_html_security_check

Testcases:
ad_html_security_check_href_allowed, ad_html_security_check_forbidden_protolcols, ad_html_security_check_forbidden_tags
Source code:
    #
    # Allow in certain situations additional attributes (e.g. for
    # the "form" in an xowiki::Form" the <form> tag).  There
    # should be better ways developed to handle such cases...
    #
    if {[info exists ::__extra_allowed_tags]} {
        set extra_tags $::__extra_allowed_tags
    } else {
        set extra_tags ""
    }
    #ns_log notice "extra_tags <$extra_tags>"

    if { [string first <% $html] > -1 } {
        return "For security reasons, you're not allowed to have the less-than-percent combination in your input."
    }

    if {![info exists allowed_tags]} {
        set allowed_tags [parameter::get -package_id $::acs::kernel_id -parameter AllowedTag]
    }
    lappend allowed_tags {*}$extra_tags

    if {![info exists allowed_attributes]} {
        set allowed_attributes [parameter::get -package_id $::acs::kernel_id -parameter AllowedAttribute]
    }

    if {![info exists allowed_protocols]} {
        set allowed_protocols [parameter::get -package_id $::acs::kernel_id -parameter AllowedProtocol]
    }

    foreach var {attributes tags protocols} {
        set allowed_$var [string tolower [set allowed_$var]]
        set allow_all_$var [expr {"*" in [set allowed_$var]}]
    }

    foreach var {attributes tags protocols} {
        if {[set allow_all_$var]} {
            set allowed_$var *
        }
    }

    return [ad_html_security_check_helper  -allowed_tags $allowed_tags  -allowed_attributes $allowed_attributes  -allowed_protocols $allowed_protocols  $html]
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: