ad_html_security_check_protocol (private)

 ad_html_security_check_protocol [ -attr_name attr_name ] \
    [ -attr_value attr_value ] \
    [ -allowed_protocols allowed_protocols ]

Defined in packages/acs-tcl/tcl/text-html-procs.tcl

Check for allowed protocol in attribute value

Switches:
-attr_name (optional)
-attr_value (optional)
-allowed_protocols (optional)

Partial Call Graph (max 5 caller/called nodes):
%3 ad_html_security_check_helper ad_html_security_check_helper (private) ad_html_security_check_protocol ad_html_security_check_protocol ad_html_security_check_helper->ad_html_security_check_protocol

Testcases:
No testcase defined.
Source code:
    if { [regexp {^\s*(([^\s:]+):\/\/|(data|javascript|blob):)} $attr_value match . p1 p2] } {
        set protocol [string tolower [expr {$p1 ne "" ? $p1 : $p2}]]
        if { $protocol ni $allowed_protocols } {
            return [subst {The allowed URLs can only use these protocols:
                [join $allowed_protocols ", "].
                You have a '$protocol' protocol in attribute '$attr_name' there.}]
        }
    }
    return ""
XQL Not present:
Generic, PostgreSQL, Oracle
[ hide source ] | [ make this the default ]
Show another procedure: