Index: openacs-4/packages/general-comments/tcl/general-comments-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/tcl/general-comments-procs.tcl,v diff -u -r1.25.2.8 -r1.25.2.9 --- openacs-4/packages/general-comments/tcl/general-comments-procs.tcl 7 Feb 2023 12:46:43 -0000 1.25.2.8 +++ openacs-4/packages/general-comments/tcl/general-comments-procs.tcl 24 Apr 2024 10:40:51 -0000 1.25.2.9 @@ -248,6 +248,44 @@ return [site_node::get_package_url -package_key "general-comments"] } +# +# Package-specific page contract filter +# + +ad_page_contract_filter general_comments_safe { name value } { + Safety checks for content posted in a comment. These checks are + package-specific, because content we may allow in other packages, + e.g. via the AllowedTag parameter in acs-kernel, should not be + allowed here. +} { + # + # We do not allow iframes or frames + # + if {[regexp -nocase {<(iframe|frame)} $value]} { + ad_complain [_ acs-tcl.lt_name_contains_invalid] + return 0 + } + + # + # We do not allow any javascript in the content, including + # event handlers. + # + if {![ad_dom_sanitize_html \ + -allowed_tags * \ + -allowed_attributes * \ + -allowed_protocols * \ + -html $value \ + -no_js \ + -validate]} { + ad_complain [_ acs-tcl.lt_name_contains_invalid] + return 0 + } + + return 1 +} + +## + # these are being replaced with the above procs namespace eval general_comments { Index: openacs-4/packages/general-comments/www/comment-add-2.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/www/comment-add-2.tcl,v diff -u -r1.8.2.7 -r1.8.2.8 --- openacs-4/packages/general-comments/www/comment-add-2.tcl 24 Apr 2024 10:25:46 -0000 1.8.2.7 +++ openacs-4/packages/general-comments/www/comment-add-2.tcl 24 Apr 2024 10:40:51 -0000 1.8.2.8 @@ -11,7 +11,7 @@ object_id:naturalnum,notnull { object_name "[acs_object_name $object_id]" } title:notnull,printable,string_length(max|200) - content:html,notnull + content:html,notnull,general_comments_safe comment_mime_type:oneof(text/plain|text/html),notnull { context_id:naturalnum "$object_id" } { category {} } @@ -27,33 +27,6 @@ object_name:onevalue category:onevalue return_url:onevalue -} -validate { - safe_content { - # - # We do not allow iframes in the content. - # - if {[regexp -nocase {<(iframe|frame)} $content]} { - ad_complain [_ acs-tcl.lt_name_contains_invalid \ - [list name [_ general-comments.Comment]]] - return - } - - # - # We do not allow any javascript in the content, including - # event handlers. - # - if {![ad_dom_sanitize_html \ - -allowed_tags * \ - -allowed_attributes * \ - -allowed_protocols * \ - -html $content \ - -no_js \ - -validate]} { - ad_complain [_ acs-tcl.lt_name_contains_invalid \ - [list name [_ general-comments.Comment]]] - return - } - } } # check to see if the user can create comments on this object Index: openacs-4/packages/general-comments/www/comment-edit-2.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/www/comment-edit-2.tcl,v diff -u -r1.8.2.4 -r1.8.2.5 --- openacs-4/packages/general-comments/www/comment-edit-2.tcl 23 Mar 2023 15:41:37 -0000 1.8.2.4 +++ openacs-4/packages/general-comments/www/comment-edit-2.tcl 24 Apr 2024 10:40:51 -0000 1.8.2.5 @@ -17,7 +17,7 @@ comment_id:naturalnum,notnull object_id:naturalnum,notnull title:notnull,printable,string_length(max|200) - content:notnull,html + content:notnull,html,general_comments_safe comment_mime_type:oneof(text/plain|text/html),notnull { return_url:localurl {} } } -properties { @@ -27,23 +27,6 @@ title:onevalue content:onevalue target:onevalue -} -validate { - no_js_in_content { - # - # We do not allow any javascript in the content, including - # event handlers. - # - if {![ad_dom_sanitize_html \ - -allowed_tags * \ - -allowed_attributes * \ - -allowed_protocols * \ - -html $content \ - -no_js \ - -validate]} { - ad_complain [_ acs-tcl.lt_name_contains_invalid \ - [list name [_ general-comments.Comment]]] - } - } }