Index: openacs-4/packages/general-comments/tcl/general-comments-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/tcl/general-comments-procs.tcl,v
diff -u -r1.25.2.8 -r1.25.2.9
--- openacs-4/packages/general-comments/tcl/general-comments-procs.tcl 7 Feb 2023 12:46:43 -0000 1.25.2.8
+++ openacs-4/packages/general-comments/tcl/general-comments-procs.tcl 24 Apr 2024 10:40:51 -0000 1.25.2.9
@@ -248,6 +248,44 @@
return [site_node::get_package_url -package_key "general-comments"]
}
+#
+# Package-specific page contract filter
+#
+
+ad_page_contract_filter general_comments_safe { name value } {
+ Safety checks for content posted in a comment. These checks are
+ package-specific, because content we may allow in other packages,
+ e.g. via the AllowedTag parameter in acs-kernel, should not be
+ allowed here.
+} {
+ #
+ # We do not allow iframes or frames
+ #
+ if {[regexp -nocase {<(iframe|frame)} $value]} {
+ ad_complain [_ acs-tcl.lt_name_contains_invalid]
+ return 0
+ }
+
+ #
+ # We do not allow any javascript in the content, including
+ # event handlers.
+ #
+ if {![ad_dom_sanitize_html \
+ -allowed_tags * \
+ -allowed_attributes * \
+ -allowed_protocols * \
+ -html $value \
+ -no_js \
+ -validate]} {
+ ad_complain [_ acs-tcl.lt_name_contains_invalid]
+ return 0
+ }
+
+ return 1
+}
+
+##
+
# these are being replaced with the above procs
namespace eval general_comments {
Index: openacs-4/packages/general-comments/www/comment-add-2.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/www/comment-add-2.tcl,v
diff -u -r1.8.2.7 -r1.8.2.8
--- openacs-4/packages/general-comments/www/comment-add-2.tcl 24 Apr 2024 10:25:46 -0000 1.8.2.7
+++ openacs-4/packages/general-comments/www/comment-add-2.tcl 24 Apr 2024 10:40:51 -0000 1.8.2.8
@@ -11,7 +11,7 @@
object_id:naturalnum,notnull
{ object_name "[acs_object_name $object_id]" }
title:notnull,printable,string_length(max|200)
- content:html,notnull
+ content:html,notnull,general_comments_safe
comment_mime_type:oneof(text/plain|text/html),notnull
{ context_id:naturalnum "$object_id" }
{ category {} }
@@ -27,33 +27,6 @@
object_name:onevalue
category:onevalue
return_url:onevalue
-} -validate {
- safe_content {
- #
- # We do not allow iframes in the content.
- #
- if {[regexp -nocase {<(iframe|frame)} $content]} {
- ad_complain [_ acs-tcl.lt_name_contains_invalid \
- [list name [_ general-comments.Comment]]]
- return
- }
-
- #
- # We do not allow any javascript in the content, including
- # event handlers.
- #
- if {![ad_dom_sanitize_html \
- -allowed_tags * \
- -allowed_attributes * \
- -allowed_protocols * \
- -html $content \
- -no_js \
- -validate]} {
- ad_complain [_ acs-tcl.lt_name_contains_invalid \
- [list name [_ general-comments.Comment]]]
- return
- }
- }
}
# check to see if the user can create comments on this object
Index: openacs-4/packages/general-comments/www/comment-edit-2.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/general-comments/www/comment-edit-2.tcl,v
diff -u -r1.8.2.4 -r1.8.2.5
--- openacs-4/packages/general-comments/www/comment-edit-2.tcl 23 Mar 2023 15:41:37 -0000 1.8.2.4
+++ openacs-4/packages/general-comments/www/comment-edit-2.tcl 24 Apr 2024 10:40:51 -0000 1.8.2.5
@@ -17,7 +17,7 @@
comment_id:naturalnum,notnull
object_id:naturalnum,notnull
title:notnull,printable,string_length(max|200)
- content:notnull,html
+ content:notnull,html,general_comments_safe
comment_mime_type:oneof(text/plain|text/html),notnull
{ return_url:localurl {} }
} -properties {
@@ -27,23 +27,6 @@
title:onevalue
content:onevalue
target:onevalue
-} -validate {
- no_js_in_content {
- #
- # We do not allow any javascript in the content, including
- # event handlers.
- #
- if {![ad_dom_sanitize_html \
- -allowed_tags * \
- -allowed_attributes * \
- -allowed_protocols * \
- -html $content \
- -no_js \
- -validate]} {
- ad_complain [_ acs-tcl.lt_name_contains_invalid \
- [list name [_ general-comments.Comment]]]
- }
- }
}