ad_html_security_check_helper (private)

 ad_html_security_check_helper -allowed_tags allowed_tags \
    -allowed_attributes allowed_attributes \
    -allowed_protocols allowed_protocols html

Defined in packages/acs-tcl/tcl/text-html-procs.tcl

Helper proc for ad_html_security_check doing the hard work

Switches:
-allowed_tags
(required)
-allowed_attributes
(required)
-allowed_protocols
(required)
Parameters:
html
See Also:

Partial Call Graph (max 5 caller/called nodes):
%3 ad_html_security_check ad_html_security_check (public) ad_html_security_check_helper ad_html_security_check_helper ad_html_security_check->ad_html_security_check_helper ad_html_security_check_protocol ad_html_security_check_protocol (private) ad_html_security_check_helper->ad_html_security_check_protocol

Testcases:
No testcase defined.
Source code:
        # loop over all tags
        set parseListElements [ns_parsehtml -onlytags -- $html]
        foreach parseListElement $parseListElements {
            lassign [string tolower $parseListElement] tag dict

            if {[string range $tag 0 0] eq "/"} {
                #
                # Ignore closing tags
                #
                continue
            }
            if {$allowed_tags ne "*" && $tag ni $allowed_tags} {
                #
                # This tag is not allowed.
                #
                return [subst {For security reasons we only accept the submission of HTML
                    containing the following tags: [join $allowed_tags " "].
                    You have a '[string toupper $tag]' tag in there.
                }]
            } else {
                #
                # Valid and allowed tag. Check attributes.
                #
                if { $allowed_attributes ne "*"} {
                    foreach attr_name [dict keys $dict] {
                        if {$attr_name ni $allowed_attributes} {
                            return "The attribute '$attr_name' is not allowed for $tag tags"
                        }
                        #
                        # Attribute is allowed. Check now protocols
                        #
                        if { $allowed_protocols ne "*" && $attr_name ne "style" } {
                            set r [ad_html_security_check_protocol  -attr_name $attr_name  -attr_value [dict get $dict $attr_name]  -allowed_protocols $allowed_protocols]
                            if {$r ne ""} {
                                return $r
                            }
                        }
                    }
                }
            }
        }
        return ""
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: